Issues when you stop inheriting permissions or configure unique permissions for SharePoint sites

In this post, we will talk about issues that may occur due to incorrect processing of certain inherited permissions.

As a site collection administrator, you need to be very careful about configuring permissions for specific sites under your site collection. You can definitely inherit or break permissions(configure unique permissions) for any sub site based on site users’ requirements however certain scenarios may result in incorrect processing of permissions and bring down the entire site collection.

We had experienced this issue where a site collection administrator changed the permissions of couple of sub sites, which brought down the entire site collection and resulted in being unable access the site collection or any of the sub sites under that site collection.

After struggling with this issue for a while, we came across following KB Article, which exactly explains our situation and hot fix to resolve this issue.

http://support.microsoft.com/kb/935958

Here are the steps to reproduce this error,

• You create a site collection or a top level site – e.g. Test SC.
• You create a site that is named Site A. Site A inherits permissions from the parent site – Test SC. Then, you configure Site A to stop inheriting permissions.
• Under Site A, you create a sub site that is named Site B. Site B inherits permissions from the parent site – Site A. Then, you configure Site B to stop inheriting permissions.
• You configure Site A to inherit permissions from the top-level site – Test SC.
• You create a document library in Site B, and then you configure the document library to inherit permissions from Site B.

In this scenario, the document library inherits permissions from Site B. However, you receive the error message “HTTP 500 - Internal server error” when you try to access a site in the site collection. Additionally you may receive “Cannot complete this action” error.

The interesting thing is, you will not be able to perform any operation on this site collection and any of its sub sites. This includes deleting entire site collection – GUI or command line (stsadm operations).

Let me share one more scenario with you…

You have a folder inside document library. You have “Contribute” access to this folder but you are unable to upload the files. This issue is permission specific and will not result in any site access issues.

Here are the steps to reproduce this error,

• You create a document library e.g. “ProjDocs” in SharePoint site.
• You create a folder e.g. “Specifications” under this document library. Then, you configure this folder to stop inheriting permissions.
• You add a new user e.g. “domain\xyz” and assign “Contribute” permissions on this folder (Specifications). This will automatically add this user (domain\xyz) to document library (ProjDocs) with “Limited Access” permissions. This user (domain\xyz) does NOT have any permission at site level. He is allowed to access contents of “Specification” folder only.
• Then, you login as this new user (domain\xyz). You see “Upload” menu but you are unable to upload documents and receive “Access Denied” error.

There are two temporary resolutions to this issue.

1. Use Windows Explorer to upload the documents from “Actions > Open with Windows Explorer” menu.
2. Stop inheriting permissions for the document library where this folder resides and give that user “Read” permissions on document library. In above scenario break permission inheritance for “ProjDocs” document library and give “Read” permissions to the user “domain\xyz”. Please use work around #1, If you do not want user to see any of the contents in document library.

The ultimate solution for both of the above issues is to install Service Pack 1 (SP1) for Microsoft Office SharePoint Server 2007. Installing just a hot fix will upgrade your SharePoint farm to some intermediate version and may result in some environment specific issues. Therefore, it is highly recommended to install Service Pack 1 (SP1) for MOSS 2007.

Data View web part in SharePoint 2007

Open the WSS site in SharePoint Designer 2007 where you want to use the Data View web part. As usual, I have opened “Test Site Collection” in SharePoint Designer to add Data View web part.

Select File > New > Create from Master Page… to create a new page for Data View web part.

Select appropriate Master Page for creating a new page. I want default look and feel of WSS site so I have used Default Master Page.

The new page should look like this,

Next step is to create a web part zone where you can add the Data View web part. Select “PlaceHolderMain (Master)” and click “>” arrow on right hand side top corner. Click “Create Custom Content” under “Common Content Tasks” menu as shown below,

Now you should be able to click inside the “PlaceHolderMain (Custom)” and add a new web part zone. Select Insert > SharePoint Controls > Web Part Zone

This should add a new web part zone, which we will use to add the Data View web part. Select “Data Source Library” tab on the right hand side panel of SharePoint Designer and click “Connect to a databases…” link.

This will open “Data Source Properties” window. Click “Configure Database Connection” button.

There are multiple ways of connecting to SQL Server

1. Saving username and password as clear text in the data connection.

2. Using Single Sign-On authentication

3. Providing custom connection string

I have used the first method – Saving username and password as clear text in the data connection. I have created a new user called “DBAdmin”, which will work with SQL Server authentication as shown below.

Note: You may need to configure database connection with Single Sign-On authentication, if you want to use Windows authentication. You may provide custom connection string but that may require stored procedure to query the database instead of custom query. I have seen few blog posts regarding the issues in using custom query with custom connection string and you can query database only with stored procedures.

http://www.u2u.info/Blogs/karine/Lists/Posts/Post.aspx?ID=4

Provide the name of the database server, username and password by selecting “Save this username and password in the data connection” under Authentication.

Click “OK” on warning message window – “The selected authentication option saves the username and password as clear text in the data connection. Other authors of this Web site can access this information.”

Select appropriate database and table to bring the data in Data View web part. I have chosen “Emp” table of “test” database as shown below.

You may select only certain fields instead of all by clicking “Fields…” button. You may also use “Filter…” and “Sort…” buttons for customizing your query. You may provide appropriate name to this data connection in “General” tab. I have named it “Employee Details”. Click “OK” after you are done.

Click “Employee Details” under Database Connections in Data Source Library tab and click “Show Data”.

This will display data under “Data Source Details” tab. Click “Insert Selected Fields as…” button and select appropriate view. I have selected “Multiple Item View”.

This will add the Data View web part to the web part zone. Select Data View web part and select appropriate operation under “Common Data View Tasks” menu if you want to customize it further.

Finally click “Save” icon on the top of SharePoint Designer and save this page to the desired location. I stored it as “EmpDetails.aspx” at http://sharepoint-dev.corp.netapp.com/sites/SCTest/EmpDetails.aspx.

Following screen capture shows EmpDetails.aspx in SharePoint Designer 2007.

Here is the screen capture after browsing EmpDetails.aspx page which shows Data View web part with the data pulled from SQL Server 2005.