SharePoint University

Hello,

I would like to authorise the access to a library with confidential documents only to certain users.

So i went on the site permission levels page to create a new permission called "No access". But i could not create it because i had to select at least one permission. I wanted to choose a useless permission but they are all linked to the "Open site, library...etc" permission, precisely the one i don't want.

=> What can i do ? If someone knows how to restrict the access to a library it would save me :)

Thanks a lot to all those who will take the time to answer,

Gzave 

Steps to create permissions for only those users you want to give access: 

• Move to the library you want to secure
• Menu: Settings -> Document Library Settings
• Permissions and Management: Permissions for this document library
• Menu: Actions -> Edit Permissions -> OK
• Put a checkmark in the box for all users you want to delete (probably everyone)
• Actions -> Remove User Permissions

Now you can add whoever you want to the library access list and give them whatever permissions you want.

Regards,
Mark

Hi,

Thank you for your response,

But i already did that and it didn't work : when i do this, the unauthorised users have not rights, but they can access the librairy and see the items.

=> i don't want them to see the items because it's confidential, i would like the page "Access Denied" when they click on the like to go on the library.

How can i do that ?

Thank you,

Gzave 

That seems odd to me. If you have restricted the library to only be accessed by specific users, I don't know how other users would be able to access the library. Try it by giving only yourself access and then have someone else login.

Maybe some admin guys like westdocs can take a shot at it, but I'm not sure where else to look.

Mark

 I don't understand too...

what did i do to obtain this result ?

Because it's always the same : even for an entire site, i break inheritance and i just authorise one user, but the others can still see the site...

If anyone has an idea it would be great :)

Thank you for your help Mark, for such an odd request...

Xavier
 

Mark Miller:

Maybe some admin guys like westdocs can take a shot at it, but I'm not sure where else to look.

Mark

I appreciate the vote of confidence, but I'm afraid I've never seen this behavior. Here are some things to check:

• Make sure anonymous access is off
• Make sure integrated or basic security is turned on
• Make sure the nt authority/authenticated users account is not listed with access to the site, especially in an administrative group for the site such as a default site owners.

A way to test authentication would be to create a new web application (put it on another port besides 80). Make sure the application is using either NTLM or Kerberos (confirm it by going into IIS and viewing the security of the new virtual server). Make sure anonymous access is off (confirm this as well in security in IIS). Create a new site collection and name only yourself as a site collection owner. Attempt to access the site as yourself. Have someone else access the site. If users not listed are still gaining access, I would recommend a call to Microsoft Product Support.

Best wishes!

• Confirm the site collection owners

I'd also like to add that if after following the checklist westdccs listed, if you still see the same behavior, then can you post a complete walkthrough of how you created a site and applied permissions so one of us could attempt to duplicate the issue? 

Your best bet would be to create a brand new web application (also as suggested by westdccs) and notate each and every step you take during its setup, configuration, site collection creation and application of permissions.  This will obviously take a little bit since you'll want to be rather extensive in your documentation, but one thing you might find during this excercise is that you may actually catch the misconfiguration yourself while you're going through the process simply because you'd be overly meticulous in your steps.

Hopefully you'll see something while going through it,

- Dink

Good thought, Dink. Documenting the process will slow everything down so that each configuration can be looked at. Sometimes we get into that 'unconcious compentency' mode where we just assume things are right because we've done it so many times before. Also, documenting the process at this point will be an invaluable historical reference for maintaining the implementation.

I, too, will be interested in the outcome of this process.

Regards,
Mark
EndUserSharePoint.com

Hi all,

Thanks you all for those good suggestions, however i don't work until Monday 15th.

So i will give a precise feedback on Monday after trying all that you said, without fail.

Thank you very much for your help, again,

Gzave. 

 Hi all again,

Guess what... I have the solutiooooooooooon !! Yes i'm happy.

More seriously, i followed all your pieces of advices before creating another Web Application (delete IE cache etc.).

That was finally the best thing to do. I decided to create it the same way i created it for the first Web Application, and i still don't see where i did something different than this time.

Whatever, after creating this new Web Application and a Site Collection, with only the Administrator account authorised on it, i tested the permissions by creating a group with a new account and a Read permission, and by deleting the access for this last user to a specific library. And it worked. BUT, i couldn't see the difference between the two sites in all of the People and Groups parts (Site permissions, Groups)...

So the error couldn't be at the Site Collection level, i started to search differencies at the Web Application level.

I found the problem in the    Central Administration > Application Management > Policy for Web Application    page.

Indeed, i had 2 lines in my first Web Application :

(All zones) -- NT AUTHORITY/Authenticated_users --  NT AUTHORITY/Authenticated_users -- Full Read

 (All zones) -- Search Crawling Account --  NT AUTHORITY/LOCAL SERVICE -- Full Read

 Whereas in the second one i had only one line :

 (All zones) -- NT AUTHORITY/LOCAL SERVICE --  NT AUTHORITY/LOCAL SERVICE -- Full Read

 I thus suppressed the first line to create a user identical to the new Web Application, and everything works now.

Actually, I don't understand the grounds of the problem :

-    Why these configurations where different because i don't remember having changed them => Is there a possible link between the People and Groups page (where I hadded authenticated_users) and this Web Application page ?

-    Why is there a Search Crawling Account in the first Web Application ?

-    Foremost, what is LOCAL SERVICE ? 

 I hope my questions are not too stupid, and that you didn't waste your time helping me.

 Whatever, i thank you a lot because without you, i wouldn't have found the issue.

Thank you again,

Gzave.

fourmi4x:

1. Why these configurations where different because i don't remember having changed them => Is there a possible link between the People and Groups page (where I hadded authenticated_users) and this Web Application page ?
2. Why is there a Search Crawling Account in the first Web Application ?
3. Foremost, what is LOCAL SERVICE ?

I'll take a stab at some of the questions:

1. There shouldn't be any relationship between the People and Groups and the Web Application page. It is possible that when setting up alternate settings (such as the search service) the additional account was added to the list. For handling search, you need to create a service account that will be used to crawl all of the content on your sharepoint server(s). This account should not be a farm administrative account.
2. The search crawling account is the account that has permission to crawl and index sharepoint content for searches. If this account does not exist, your end users will not return any results when searching.
3. Local Service is a built in account in Windows Server 2003. Many of the services provided by Windows Server 2003 run under the context of this account.

From the description of your solution (and questions), it sounds like the search crawling account may not have been configured properly in the first web application. That would explain why your content became available to every user no matter what you set the individual site and list/library permission to be. I recommend creating a specific account that can be used to index your sharepoint sites. Then go into central administration > operations and set up the services for search. Also check the settings for search under Application Management > Manage Search Service and the SSP > Search Settings.

 Hi,

Thank you for those explanations, i'll take a look at it.

Regards,

Gzave 

Hello All,

I have read these post because I am running into a similar problem with permissions to Document Libraries in Sharepoint 2007/MOSS 3.0.  I have a site with two document libraries.  I can give access to individual users to the entire site, then give access to the user at one of the document libraries, then under that document libraries i have additional libraries/folders and when I go to remove that use from one of those libraries/folders they are deleted from the entire site even though I am not inheriting permissions from the parent.  Some sites seem to work fine other don't.  I thought in Sharepoint 2007 I could give users permissions to a document library and then lock them out of individual folers.  Is this correct or where am I going wrong? 

 Thanks for the help,

John