Default groups and access to Site but not Site Collection

Posted on 2011-03-02
Last Modified: 2012-05-11

This is a 2 part SharePoint Server 2010 question.

1.- Is it possible to browse/navigate using the UI to _layouts/permsetup.aspx?
In MOSS this was done by click Groups > Settings > Setup Groups

2.- Is it possible to give a user access to: http://server/siteCol/DepSite BUT not access to http://server/siteCol/

Or do they always have to have access to the SiteCollection before they can access a site within that site collection?

We have numerous site collections with subsites. We have subsite Owners granting access to users from other site collections, but they're always been greeted with Access Denied, until they have some sort of access (view) to the site collection.

Since the subsite owners aren't able to give access to the site collection, it's kind of useless allowing them to give users access to their own site. And we also don't want these "Other site collection users" access to the site collection.


Bob is the owner of the site Pedals.
Pedals is a site in the site collection Bicycles.
Bob only has Viewing rights in Bicycles.

Bob has a friend "Jay" in another site collection "Skates Boards".
Bob would like to give Jay view only access to Pedals.
So Bob goes to  http://site/_layouts/user.aspx and adds Jay to the Visitors Group.
Jay receives an email from saying Welcome to Pedal Visitos.
Jay clicks the link and receives ACCESS DENIED
Bob calls Sam (the SP administrator) saying Jay can't access Pedals.
Sam adds Jay to Bicycle Visitors.

Now Jay has access to Bicycles and Pedals.

Thanks :)
Question by:raybies
  • 2
  • 2

Expert Comment

ID: 35024211
For creating such permissions where you dont want the users to see the top level site collection but see the subsites on which they have access, you will have to provide some access to the users on the site collection as well.

Alternatively, you can provide related links to the users which they can click directly and move to the individual sub sites without going to the site collections.

However,All the sites on which the user has or will have a foot print should have some access for that user.
LVL 16

Author Comment

ID: 35024653
How do you propose I add a user to the site collection, without using a catch all group or specifically adding that user to the site collection.

It seems really stupid to have to give a user access to the whole site collection, just to look at; say 1 document of a subsite.


Accepted Solution

logideepak earned 500 total points
ID: 35024831
when you want the user to view a document in the document library and provide a specific permission to that user on the document library, Sharepoint by itself provides the "Restricted Read" permission to that user on the Sharepoint sub site on which the document library is physically located.

However, in your case the document library is located in the sharepoint sub site, so as soon as you provide the access to the user on the document library, he will get a default access on the sharepoint sub site.

Now as far as the parent site collection goes in, you can provide a read access to the user on the site collection, so that he can see the site collection and simultaneously move to the share point sub site from there itself.

In my experience, when I did not wanted users to have the read access on the parent site, I used to create a dummy list / library and provide contribute access to the user and hidden the list link from the site. this in turn would have provided him with the "Restricted Read" access on parent site collection as well.

Expert Comment

ID: 35025621
I know what is your problem:
Your user have access to the Pedals site but cannot open some pages (maybe the default page, or all pages) because these pages are using resources of the Bicyles site.
(masterpage, images, xsl, css, webpart, ...)

Try to open the /Pedals/_layouts/viewlsts.aspx page to know if the problem is in the Pedals' masterpage.
If yes, remove all the Bicyles resources called in the masterpage.

If not, the problem is on your default page (or another) => look at the webparts, debug them if they are custom, or check their config to know which resources they are loading.

Good luck, this problem is hard to fix :)
LVL 16

Author Comment

ID: 35032994
Nomoho: It was a good idea, but no. /_layouts/viewlsts.aspx Error: Access Denied
Even though the account has full control.

logideepak: The issue is we need to be able to allow Site Owners to control permissions to their site.

Our company has ~4000 users and we can't give all these users access to every single site collection just in case they need to access a subsite.

Within Bicycles there are 100's of sites and some are inheriting permissions while others have broken inheritance.

Anyway I tried your solution even though it's not elegant... giving domain users "Limited Access" on the site collection by granting them access to a List, and it works.

Have you got a solution for part 1 of the question? I need a way for site owners to be able to create the default groups after breaking inheritance.



Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I recently came across an issue with a MOSS 2007 deployment where access into some sub-sites were denied, even for the MOSS farm administrators. A bit of background to the setup of this MOSS farm; this was a three server setup, consisting of a fr…
Microsoft SharePoint Foundation 2010 and Microsoft SharePoint Server 2010 do not offer the option to configure the location of the SharePoint diagnostic trace log files during installation.  This can, however, be configured through Central Administr…
This tutorial gives a high-level tour of the interface of Marketo (a marketing automation tool to help businesses track and engage prospective customers and drive them to purchase). You will see the main areas including Marketing Activities, Design …
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

867 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now