SharePoint Users Can’t Access That, Right?

The other day a customer was locking down a site collection but discovered that no matter what she did, all users in the entire organization still had read access. This, in a word, was troubling. Could it be that SharePoint has a giant gaping security flaw? Fortunately, this was just one of those cases when a nonintuitive feature feels like a bug.

You see, in addition to all the ways to set permissions for the site collection, website, list, and item levels—and also in addition to the farm admin and site collection admin super user capabilities—SharePoint has a non-obvious-though-not-quite-super-secret feature that allows global permissions across each application.

Reminder
In SharePoint parlance, farms contain applications, which contain site collections, which contain websites, which contain lists, which contain items. So permissions at the application level cascade (and overrule) to all but the farm level.

The feature, called User Policies, is a powerful way to grant permissions for a user or group to all (ALL!) objects in an application. Better yet, there’s a stealth flag that makes is so that the users don’t even show up in the “Shared With” list of each securable object (lists, etc.)—by “better yet,” I really mean “Danger!”). What follows is a quick walkthrough of using it. However, given its sneaky and awesome power, please use with care, or maybe use only to remove unnecessary global permissions.

1. From SharePoint Central Administration, select Application Management, then Manage web applications
2. Then, select one of your applications and select User Policies from the ribbon at the top
3. A dialog will appear listing a number of system service account and admin grants. Leave these alone (unless, of course, you are in a test farm and want to see what happens)
4. This is where I deleted the All Domain Users group that had been added on the client farm that took us down this path. You see my name on this list? The next person who administers this farm is going to find that and say, “hey now, I thought I deleted all permissions for that guy!” Until then, I’m like a stealth admin. More on stealth in a step or two. Let’s add a user. Click the Add Users button. It will ask about Zones. If you know what zones are, maybe you want to specify one. If not, stay with All and click Next
5. In Users, I’ve added a domain user. This could also be a domain group. I’ve selected permissions (you can deny permissions globally too—this is a great trick to try on your boss, wife, or HR). Finally, we come to the stealth feature. Or rather we skip it, but there it is that last box that I’m leaving unchecked (this time). Now, if I go into a list in a web in the application I’d selected in step 2, I can see that this user has permission by clicking the Shared With button in the ribbon (way over there on the right)

6. Finally, stealth mode: back to that box I left unchecked, Account operates as System. Did you see the description? That’s right, if you click this box, the user or group is no longer discoverable by the Shared With nor any other permission detection function in SharePoint. And any changes or updates made by the user are recorded as System. That’s ninja stealth, and it’s just the kind of thing you need to watch out for.

Contact Thrive today to learn more!