Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium


Default groups and access to Site but not Site Collection

Posted on 2011-03-02
Medium Priority
Last Modified: 2012-05-11

This is a 2 part SharePoint Server 2010 question.

1.- Is it possible to browse/navigate using the UI to _layouts/permsetup.aspx?
In MOSS this was done by click Groups > Settings > Setup Groups

2.- Is it possible to give a user access to: http://server/siteCol/DepSite BUT not access to http://server/siteCol/

Or do they always have to have access to the SiteCollection before they can access a site within that site collection?

We have numerous site collections with subsites. We have subsite Owners granting access to users from other site collections, but they're always been greeted with Access Denied, until they have some sort of access (view) to the site collection.

Since the subsite owners aren't able to give access to the site collection, it's kind of useless allowing them to give users access to their own site. And we also don't want these "Other site collection users" access to the site collection.


Bob is the owner of the site Pedals.
Pedals is a site in the site collection Bicycles.
Bob only has Viewing rights in Bicycles.

Bob has a friend "Jay" in another site collection "Skates Boards".
Bob would like to give Jay view only access to Pedals.
So Bob goes to  http://site/_layouts/user.aspx and adds Jay to the Visitors Group.
Jay receives an email from sharepoint@company.com saying Welcome to Pedal Visitos.
Jay clicks the link and receives ACCESS DENIED
Bob calls Sam (the SP administrator) saying Jay can't access Pedals.
Sam adds Jay to Bicycle Visitors.

Now Jay has access to Bicycles and Pedals.

Thanks :)
Question by:raybies
  • 2
  • 2

Expert Comment

ID: 35024211
For creating such permissions where you dont want the users to see the top level site collection but see the subsites on which they have access, you will have to provide some access to the users on the site collection as well.

Alternatively, you can provide related links to the users which they can click directly and move to the individual sub sites without going to the site collections.

However,All the sites on which the user has or will have a foot print should have some access for that user.
LVL 16

Author Comment

ID: 35024653
How do you propose I add a user to the site collection, without using a catch all group or specifically adding that user to the site collection.

It seems really stupid to have to give a user access to the whole site collection, just to look at; say 1 document of a subsite.


Accepted Solution

logideepak earned 2000 total points
ID: 35024831
when you want the user to view a document in the document library and provide a specific permission to that user on the document library, Sharepoint by itself provides the "Restricted Read" permission to that user on the Sharepoint sub site on which the document library is physically located.

However, in your case the document library is located in the sharepoint sub site, so as soon as you provide the access to the user on the document library, he will get a default access on the sharepoint sub site.

Now as far as the parent site collection goes in, you can provide a read access to the user on the site collection, so that he can see the site collection and simultaneously move to the share point sub site from there itself.

In my experience, when I did not wanted users to have the read access on the parent site, I used to create a dummy list / library and provide contribute access to the user and hidden the list link from the site. this in turn would have provided him with the "Restricted Read" access on parent site collection as well.

Expert Comment

ID: 35025621
I know what is your problem:
Your user have access to the Pedals site but cannot open some pages (maybe the default page, or all pages) because these pages are using resources of the Bicyles site.
(masterpage, images, xsl, css, webpart, ...)

Try to open the /Pedals/_layouts/viewlsts.aspx page to know if the problem is in the Pedals' masterpage.
If yes, remove all the Bicyles resources called in the masterpage.

If not, the problem is on your default page (or another) => look at the webparts, debug them if they are custom, or check their config to know which resources they are loading.

Good luck, this problem is hard to fix :)
LVL 16

Author Comment

ID: 35032994
Nomoho: It was a good idea, but no. /_layouts/viewlsts.aspx Error: Access Denied
Even though the account has full control.

logideepak: The issue is we need to be able to allow Site Owners to control permissions to their site.

Our company has ~4000 users and we can't give all these users access to every single site collection just in case they need to access a subsite.

Within Bicycles there are 100's of sites and some are inheriting permissions while others have broken inheritance.

Anyway I tried your solution even though it's not elegant... giving domain users "Limited Access" on the site collection by granting them access to a List, and it works.

Have you got a solution for part 1 of the question? I need a way for site owners to be able to create the default groups after breaking inheritance.



Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you create your solutions on SharePoint sooner or later you will come upon a request to set  permissions of the item depending on some of the item's meta-data - the author, people assigned as approvers, divisions, categories etc. The most natu…
These days socially coordinated efforts have turned into a critical requirement for enterprises.
In a question here at Experts Exchange (https://www.experts-exchange.com/questions/29062564/Adobe-acrobat-reader-DC.html), a member asked how to create a signature in Adobe Acrobat Reader DC (the free Reader product, not the paid, full Acrobat produ…
With just a little bit of  SQL and VBA, many doors open to cool things like synchronize a list box to display data relevant to other information on a form.  If you have never written code or looked at an SQL statement before, no problem! ...  give i…
Suggested Courses

571 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question