Hide/Display SharePoint site links from users via permissions

We are testing from a standard user account, so we know this isn't an admin issue. The Navigation Links for all Team Sites are still showing for our standard user account. Where can we find permissions that specifically control whether or not our user sees those Navigation Links for Team Sites that they do or do not have permissions for.

In case it's helpful:

Standard user has permissions for the Accounting Team Site but not the IT Team Site

Standard user sees both Navigation Links from their home page but can only successfully gain access to the Accounting Team Site, since she is appropriately permed for that Team Site.

What we're looking for is something akin to Access-Based Enumeration which we used on our 2012 R2 file servers.

Thank you.

There is a "check permission" control in the ribbon you can get to like this -

Site Actions --> Site Permissions --> Check Permissions

That is one way to determine the permissions of a user.

The permissions for the user are correct. They can successfully access Accounting but not IT, however Navigation Links for both Accounting and IT show on their home site. We want this user to only see the Navigation Links which they have permissions for, which in this case is Accounting.

Thanks.

Navigation is based on permissions, there is not a separate ACL for out of the box navigation. I am suggesting that although you see permissions as correct, keep in mind it can become tricky. Check again.
I can tell you from experience it is more likely that human error is the problem and not computer error.

The Accounting Team Site shows only the Accountants Security Group

The IT Team Site shows only the IT security Group

Our standard user is a member of Accounting and not a member of IT, yet our standard user can see Navigation links for both Accounting and IT.

Any other thoughts on where to check for mistakes or where we should be looking?

Thanks,

There are other system groups within each site such as "Style Resource Readers", "Restricted Readers", "Approvers", "Hierarchy Managers", "Designers" and maybe some more.  Your sites may not have any of these groups, but if it does make sure your users are not part of one of the system groups which would give the user access to all sites, and then all sites would show in navigation. As mentioned, you can go to the site that the user is NOT suppose to have access to and use the "Check Permissions" tool to see if the user has some type of hidden access. This wouldn't be a mistake, but something that happens all the time.

Good luck...

One last thing, and this is a very very long shot, but if for some reason the user is a site admin that would explain the access, but the user would not show up under the usual site permissions page.

After speaking to MS at length about this last week - following this exchange, they said what we asked above cannot be done. subsites can be hidden from user view through permissions, but site collections cannot. That sounds crazy to me though, but from our own practical experience we can see that subsites do hide as expected and that site collections do not. Is anyone aware of how to make site collection links only show up for users who have permissions to that site collection?

The subsite solution would work wonderfully for us if we had less than 1TB of data, but since there seems to be a hard 1TB limit for site collections, we feel forces to separate these out into various site collections. We are still struggling to figure a way to do this elegantly/seamlessly for our users. Presenting links to resources only to users that can connect to them.

Thanks,

User can only see Site Collections that they have access to, that they have some type of permissions for. Be it read only, limited access all the way to full control. Other wise they will receive access denied when navigating to the site collection, and also they will not see a site collection in the top navigation bar unless the user has been granted access to the site collection.

The exceptions would be if the navigation is not using standard SharePoint navigation controls. A hard coded link could of course be added to the page that would not be security trimmed. But that would not be SharePoint out of the box and would fall under the custom coding category.  


If what Microsoft is telling you it true, they have SharePoint setup incorrectly.

Good luck...

OK, we may be getting somewhere now then. I think we may have hard-coded the links accidentally, but I am going to check with our sys admin to be sure. If that is the base, we will remove the hard-coded links and do additional testing. More to come, thanks.

Hope that helps... sorry, should have asked sooner about the hard coded stuff but thought it was just the out of the box navigation...

Good luck...

Any luck?

Unfortunately, we only get the result we want with subsites. Subsites present to users with permissions only, but when trying to get the same result at the site collection or team site level, it shows all to everyone. Sadly, we've gotten no further on this.

You may have already tried this -

Go to the settings page of your SPO tenant. Click on Top Navigation Bar User Experience. You should see a table with some radio buttons that you can use to show or hide certain items from the top level navigation. Sites should be an option.

Not sure if this will help you or something you can use, but hope so.

Good luck...

We don't see site collections/team sites in the navigation bar in either case (show/hide are selected), and we only see them when they are hard-coded. As you mentioned, hard-coding presents a problem. So the current question is: How do we get site collections/team sites to show up at all in the nav bar without hard coding them?

Thank you.

Any luck?

Glad you found a workaround...

It's the best solution to the problem.