Tuesday, December 9, 2008

Issues when you stop inheriting permissions or configure unique permissions for SharePoint sites

In this post, we will talk about issues that may occur due to incorrect processing of certain inherited permissions.

As a site collection administrator, you need to be very careful about configuring permissions for specific sites under your site collection. You can definitely inherit or break permissions(configure unique permissions) for any sub site based on site users’ requirements however certain scenarios may result in incorrect processing of permissions and bring down the entire site collection.

We had experienced this issue where a site collection administrator changed the permissions of couple of sub sites, which brought down the entire site collection and resulted in being unable access the site collection or any of the sub sites under that site collection.

After struggling with this issue for a while, we came across following KB Article, which exactly explains our situation and hot fix to resolve this issue.

http://support.microsoft.com/kb/935958

Here are the steps to reproduce this error,

  • You create a site collection or a top level site – e.g. Test SC.
  • You create a site that is named Site A. Site A inherits permissions from the parent site – Test SC. Then, you configure Site A to stop inheriting permissions.
  • Under Site A, you create a sub site that is named Site B. Site B inherits permissions from the parent site – Site A. Then, you configure Site B to stop inheriting permissions.
  • You configure Site A to inherit permissions from the top-level site – Test SC.
  • You create a document library in Site B, and then you configure the document library to inherit permissions from Site B.

In this scenario, the document library inherits permissions from Site B. However, you receive the error message “HTTP 500 - Internal server error” when you try to access a site in the site collection. Additionally you may receive “Cannot complete this action” error.

The interesting thing is, you will not be able to perform any operation on this site collection and any of its sub sites. This includes deleting entire site collection – GUI or command line (stsadm operations).

Let me share one more scenario with you…

You have a folder inside document library. You have “Contribute” access to this folder but you are unable to upload the files. This issue is permission specific and will not result in any site access issues.

Here are the steps to reproduce this error,

  • You create a document library e.g. “ProjDocs” in SharePoint site.
  • You create a folder e.g. “Specifications” under this document library. Then, you configure this folder to stop inheriting permissions.
  • You add a new user e.g. “domain\xyz” and assign “Contribute” permissions on this folder (Specifications). This will automatically add this user (domain\xyz) to document library (ProjDocs) with “Limited Access” permissions. This user (domain\xyz) does NOT have any permission at site level. He is allowed to access contents of “Specification” folder only.
  • Then, you login as this new user (domain\xyz). You see “Upload” menu but you are unable to upload documents and receive “Access Denied” error.

There are two temporary resolutions to this issue.

  1. Use Windows Explorer to upload the documents from “Actions > Open with Windows Explorer” menu.
  2. Stop inheriting permissions for the document library where this folder resides and give that user “Read” permissions on document library. In above scenario break permission inheritance for “ProjDocs” document library and give “Read” permissions to the user “domain\xyz”. Please use work around #1, If you do not want user to see any of the contents in document library.

The ultimate solution for both of the above issues is to install Service Pack 1 (SP1) for Microsoft Office SharePoint Server 2007. Installing just a hot fix will upgrade your SharePoint farm to some intermediate version and may result in some environment specific issues. Therefore, it is highly recommended to install Service Pack 1 (SP1) for MOSS 2007.

No comments: