New Permissions Tools in SharePoint 2010

SharePoint 2010 has some nice additions to how permissions work compared to how they worked in SharePoint 2007. Back in 2007 it was always a challenge to maintain visibility of who had permission to which area. Once a user had grasped the concept of security in SharePoint – consisting of SharePoint Groups, Permission Levels (and the Permissions that make up a Level) – then often there was a proliferation of broken inheritance and new SharePoint Groups across a site collection. Whilst it was possible to click through to every site, list or library in a site collection, 3rd Party tools were relied upon to give a view of exactly how the security was configured.

In SharePoint 2010 this is greatly improved by the introduction of some new tools around security allowing you to:

  • View site collection permissions for a group
  • Check permissions for a particular user or group on a site or list
  • Show uniquely secured content on a site

Viewing site collection permissions for a group
To view the permissions for a group across a site collection you navigate to the group in question and then from the Settings menu (I’m hoping the ribbon UI will come before RTM) choose View Group Permissions. This gives a new dialog with a list of the URLs that the group has permissions on and the specific permission level. Note this dialog does not explicitly list every site, list or item, but rather the ‘parent’ URLs that they are inherited from.

SP2010ViewGroupPermissionsLink   SP2010SiteCollectionPermissions 

Check permissions for a particular user or group on a site or list
From a the permissions page on a site, list or item there is a new button on the contextual Permission Tools ribbon labelled Check Permissions. This button opens a dialog with an input for a user or group. Hitting Check Now returns a view of the permissions levels given to that user or group on the site, list or item.

SP2010CheckPermissionsButton   SP2010CheckPermissionsDialog

Show uniquely secured content on a site
In addition to the many advantages, dangers of item-level security and the ability to break inheritance of permissions can lead to an administrative nightmare for keeping on top of security. This has been mitigated somewhat by the ability to show uniquely secured content from the permissions page of a site, list or item. There is now a status message displayed if there is uniquely secured content. On a site or list the status message includes a link which brings up a dialog of exactly what content is uniquely secured.

SP2010UniquePermissionsStatusMessage1

SP2010UniquePermissionsStatusMessage2

SP2010UniquePermissionsDialog

These are all great improvements and highlight again how Microsoft have been listening to the feedback from MOSS and built it in to 2010.

share and enjoy
  • Print
  • Twitter
  • Digg
  • del.icio.us
  • StumbleUpon
  • Yahoo! Buzz
  • Google Bookmarks
  • Facebook

17 comments to New Permissions Tools in SharePoint 2010

  • tim

    Good article Glyn. Have you found a way that add only permissions can be set on a form. eg I want a user to be able to fill in a form to populate a list but I don’t want them to be able to view the list ie a create item only

    • Thanks Tim. Re a user being able to create a new item without being able to view the list I don’t think there’s an out-of-the-box way of doing this, as I believe the add new item right will require the view item right (I’d need to check to confirm).

      A couple of alternative approaches for you may be:

      • Create a link to the new form from your site home page, or wherever, and add the ?Source= querystring parameter so that they are redirected after adding the item without ever ‘touching’ the list. Note, they would still be able to manually enter the URL and visit the list.
      • See if you can edit the properties for the list so that users can ‘Read only their own items’. Unfortunately I believe this right is only available on a few types of list.

      Hope that helps,

  • cerno

    Hi Glynn,

    could u advice me how to create only concepts group. Is it possible? Member of this group can work just with concepts.

    thanks a lot.

    • Cerno – sorry, I’m not quite sure I understand what you mean by ‘concepts’. If this is just a particular type of content then the standard way to restrict access would be to have a particular site or library specifically for ‘concepts’ and then set the permissions for a particular SharePoint group on that site/ library.

  • Steve McRoberts

    Creating a group for site permissions works well. When attempting to do the same thing for a page or a document library the create group option is not there. Is there a way to do this? Thanks a lot for your help.

    • Hi Steve. The SharePoint Groups that you create are actually independent of a specific site; they can be applied to any site, list/library or item in your site collection.

      To try this out – create a new group and then navigate to your library or list that contains the page or document that you want to set permissions on. Select the row of the item and then from the ribbon you should see an option to manage the permissions for that item.

      This is known as Item Level Security in SharePoint, and I’m sure there will be plenty of information to Bing or Google out there!

      HTH

  • RonGuy

    How can I determine all of objects in a site that a group has access to? As an example, I have a SharePoint group called TestGroupSP. I want to delete the group, but first want to make sure that the group does not have any permissions on any sites, lists, libraries, etc. How can I find all permissions assigned to TestGroupSP?

  • sathya

    Hi Glyn,

    How i can reassign the permission that should be valid for that particular department colleagues only.

  • Bjorn

    Hi Glyn!
    Nice article, very helpful!

    What if you need to check a user’s permission across an entire web application with several site collections? Would you need to go into each site collection’s top level site? In such a case, it wouls still be quite cumbersome…

    Thanks!
    –Bjorn

    • Thanks Bjorn! I’m afraid I can’t think of a way to this through the UI across an entire web application without resorting to custom code/ script or a third party management tool (for example I think Lightning Tools and Quest have offerings).

      I’m sure there must be a way to do this via PowerShell if you have the option to run that? Otherwise if you have access to a development team (or are a dev!?) then they could maybe write a custom web part for you.

      Thanks,

  • Chris Byrom

    Nice article.

    The view site collection permissions option for groups was also available in SP 2007. To bad they have not expanded it to do the same thing for users and domain groups. That would be really helpful!

  • Julia Milton

    My organization hasn’t gone up to SharePoint 2010 yet, but we’re hoping to be migrated later this autumn.

    Can you tell me whether SP 2010 includes a feature that lets you, as site owner, view the site according to the permissions granted to other users? At the moment I have to log off and log on again under a test account. It becomes cumbersome to do this when testing multiple permissions on multiple subsites.

    Thanks!

    • Hi Julia,

      I don’t know if you can actually navigate to the site without changing the user (which you can do via the “sign in as a different user” option in the welcome control, top right) – but there is also the Check Permissions option that I mention above which is a really useful way to quickly find out if a particular user can see/ edit the site etc.

      HTH

  • I’ve found that if you remove a user from an active directory group and you refresh the check permission the information remains old… can you verify?

    Roberto Tonon
    info@websharepoint.it
    http://www.websarepoint.it

  • Paul

    I set up a SharePoint sub-site and added one user to the permissions (reader level) for one specific list. The site has unique persmissions, does not inherit from the main site. He is not listed anywhere else but in the permissions for the list. He can however see all the quick launch links and open them and view to his hearts content. I want to restrict what he can open and limit it to the one list

    He has contributor access to the Main site, but none of those groups are included in the sub-site

    Thanks

    • Hi Paul,

      It sounds like you’ve checked all of the obvious things! However, when I find myself in this position it’s usually because I’ve overlooked something or other.

      So, first off – definitely use the ‘Check Permissions’ tool (available on the ribbon) for one or two of the lists or items that you don’t want the user to have access to. This will show you from which group they are being granted permissions.

      My gut feel is that the sub-site was created with inherited permissions and then inheritance was broken. If this is the case then all of the lists etc will have been created with the parent’s site permissions – hence the user may have access. It’s important to remember that breaking permission inheritance doesn’t change any existing permissions, it just takes a copy and stops changes made above trickling down.

      HTH

Leave a Reply

You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>