{"id":2084,"date":"2012-01-24T07:02:04","date_gmt":"2012-01-24T07:02:04","guid":{"rendered":"https:\/\/poiseddevelopers.com\/reality-tech\/?p=2084"},"modified":"2024-04-26T12:11:37","modified_gmt":"2024-04-26T12:11:37","slug":"library-and-folder-security-gotchas","status":"publish","type":"post","link":"https:\/\/poiseddevelopers.com\/reality-tech\/library-and-folder-security-gotchas\/","title":{"rendered":"Library and Folder Security Gotchas"},"content":{"rendered":"<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_65 counter-hierarchy ez-toc-counter ez-toc-grey ez-toc-container-direction\">\n<div class=\"ez-toc-title-container\">\n<p class=\"ez-toc-title \" >Table of Contents<\/p>\n<span class=\"ez-toc-title-toggle\"><a href=\"#\" class=\"ez-toc-pull-right ez-toc-btn ez-toc-btn-xs ez-toc-btn-default ez-toc-toggle\" aria-label=\"Toggle Table of Content\"><span class=\"ez-toc-js-icon-con\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #999;color:#999\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #999;color:#999\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/span><\/a><\/span><\/div>\n<nav><ul class='ez-toc-list ez-toc-list-level-1 eztoc-toggle-hide-by-default' ><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/poiseddevelopers.com\/reality-tech\/library-and-folder-security-gotchas\/#Top-down_security\" title=\"Top-down security\">Top-down security<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/poiseddevelopers.com\/reality-tech\/library-and-folder-security-gotchas\/#Avoid_breaking_inheritance\" title=\"Avoid breaking inheritance\">Avoid breaking inheritance<\/a><\/li><\/ul><\/nav><\/div>\n<p>When setting up SharePoint security on sites, libraries and folders, there are quite a few options available, however not all approaches work as expected.\u00a0 This article outlines some pitfalls to avoid, and best practices to keep your documents safe and sound, and lastly ensure an optimal end-user experience.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"Top-down_security\"><\/span>Top-down security<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>By far the best approach is to have the top level sites as open as possible, and gradually restrict access as needed on subsites, then libraries and finally if absolutely necessary folders.\u00a0 If a library has broader access than its parent site, end-users will not be able to navigate to it.\u00a0\u00a0 There are two subtle problems to be aware of when violating this principle:<\/p>\n<ul>\n<li><strong>Granting broader access to Document Libraries<\/strong><br role=\"presentation\" data-uw-rm-sr=\"\" \/>When a user who does not have explicit Read access to a site accesses a document library within it, the browser and MS-Office Client will try to access Site-level information (such as the Document Information Panel, Content Types, Site columns etc) generating unnecessary end-user logon prompts.\u00a0 Entering credentials will not succeed, although users can \u201cescape\u201d past these logons.\u00a0 The better approach is to grant broader access to the site, and then lock down all other libraries.\u00a0 A simpler approach I\u2019ve used is to define a site-collection permission-level called \u201cSite Reader\u201d with access to pages but not documents.\u00a0 This simplifies granting access and enables end users to navigate to their document libraries when fine-grained permissions are truly required.\u00a0 Once you start customizing security for more than one document library it is worth asking yourself whether dedicated sites with custom permissions might be more appropriate.<\/li>\n<li><strong>Granting broader permissions to a folder<\/strong><br role=\"presentation\" data-uw-rm-sr=\"\" \/>Newbie administrators often try to grant broader permissions to a folder in a document library.\u00a0 While the configuration seems straightforward, end-users cannot access the folder to which they have been granted read access.\u00a0 The only approach that will work here is to grant the users broader access to the document library, then lock down specific folders to keep them out.<\/li>\n<\/ul>\n<h2><span class=\"ez-toc-section\" id=\"Avoid_breaking_inheritance\"><\/span>Avoid breaking inheritance<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Everything within a Site Collection inherits security by default.\u00a0 There are of course times that inheritance\u00a0needs to be broken in order to lock down security.\u00a0 Be aware that every time inheritance\u00a0is broken it creates administrative overhead going forward, and is an opportunity for end-user confusion.<\/p>\n<p>If you really need to give broader access to a folder, here\u2019s how:<\/p>\n<ol>\n<li>Create a new Permission Level (details below)<\/li>\n<li>Assign the broader set of users to this permission level at the site level.<\/li>\n<li>Find the library where the site page(s) are located.\u00a0 This is often called \u201cPages\u201d.\u00a0 Break inheritance, and add everyone as \u201cRead\u201d to this library.\u00a0 That way users can view the landing page.<\/li>\n<\/ol>\n<p>Here\u2019s how to create the \u201cSite Reader\u201d permission level:<br role=\"presentation\" data-uw-rm-sr=\"\" \/>At the Site Collection level, go into \u201cPermission Levels\u201d under site security, and create a Permission Level called \u201cSite Reader\u201d, with the following permissions:<\/p>\n<ul>\n<li>Use Remote Interfaces<br role=\"presentation\" data-uw-rm-sr=\"\" \/>Use SOAP, Web DAV, the Client Object Model or SharePoint Designer interfaces to access the Web site.<\/li>\n<li>Use Client Integration Features<br role=\"presentation\" data-uw-rm-sr=\"\" \/>Use features which launch client applications. Without this permission, users will have to work on documents locally and upload their changes.<\/li>\n<li>Open<br role=\"presentation\" data-uw-rm-sr=\"\" \/>Allows users to open a Web site, list, or folder in order to access items inside that container.<\/li>\n<\/ul>\n<p>Set your folder permissions.\u00a0 Groups can be helpful, where a group is given the broader folder level access, and also Read access to \u201cPages\u201d and Site Reader access to the site.<\/p>\n<p>Not pretty, but it works\u2026<\/p>\n","protected":false},"excerpt":{"rendered":"<p>When setting up SharePoint security on sites, libraries and folders, there are quite a few options available, however not all approaches work as expected.\u00a0 This article outlines some pitfalls to avoid, and best practices to keep your documents safe and sound, and lastly ensure an optimal end-user experience. Top-down security By far the best approach [&hellip;]<\/p>\n","protected":false},"author":5,"featured_media":2087,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[47],"tags":[],"class_list":["post-2084","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-security"],"acf":[],"_links":{"self":[{"href":"https:\/\/poiseddevelopers.com\/reality-tech\/wp-json\/wp\/v2\/posts\/2084","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/poiseddevelopers.com\/reality-tech\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/poiseddevelopers.com\/reality-tech\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/poiseddevelopers.com\/reality-tech\/wp-json\/wp\/v2\/users\/5"}],"replies":[{"embeddable":true,"href":"https:\/\/poiseddevelopers.com\/reality-tech\/wp-json\/wp\/v2\/comments?post=2084"}],"version-history":[{"count":1,"href":"https:\/\/poiseddevelopers.com\/reality-tech\/wp-json\/wp\/v2\/posts\/2084\/revisions"}],"predecessor-version":[{"id":2089,"href":"https:\/\/poiseddevelopers.com\/reality-tech\/wp-json\/wp\/v2\/posts\/2084\/revisions\/2089"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/poiseddevelopers.com\/reality-tech\/wp-json\/wp\/v2\/media\/2087"}],"wp:attachment":[{"href":"https:\/\/poiseddevelopers.com\/reality-tech\/wp-json\/wp\/v2\/media?parent=2084"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/poiseddevelopers.com\/reality-tech\/wp-json\/wp\/v2\/categories?post=2084"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/poiseddevelopers.com\/reality-tech\/wp-json\/wp\/v2\/tags?post=2084"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}