SharePoint Holmes and the elusive Link

HH-header“Users can not access links”.
What a boring title, I thought when this incident was assigned to me. But, as usual, there was a twist to it.

The case

Several users of a local site received a “you do not have access” when they clicked a link that was added to a news item on the homepage. This link directed to a pdf-document.  According to the site owner, they should have access.

So I put my SharePoint Holmes Admin Hat on, and dove into the site.

The investigation

The homepage contained an Announcement list in Newsletter Style. The text “read more” (I know, not the best way to name a link) led to a pdf in a document library in the same site, called News Documents.

HH-Local News
The Local News list. “Read More” should take you to a document.

The News Documents library contained 2 items.

HH-NewsDocuments
The News Documents library
HH-NewsDocumentsLibrary
The 2 documents

The document library inherited permissions from the site.
The audience included myself, so I decided to take a look as my “normal” self.

Yes, I could access the page. But when I clicked on the link “Read more” I got a “Sorry, you don’t have access to this page”.

I looked into Site Contents and saw that the library contained 2 items, but when I opened the library, I saw no documents. Hmmm.

HH-Library-user
As a normal user, I can see the News Documents library contains 2 documents.
HH-emptylibrary
As a normal user, I do not see any documents in this library.

I went back into admin mode, and checked again.

  1. I checked the link on the homepage – was it perhaps a broken link? No, it looked solid and led to the pdf without further ado.
  2. Did the documents open in browser by default, which might hamper the opening of a pdf? I checked the Advanced Settings but it opened by default in the client.
  3. Had the documents been checked out? No, I did not see the green tell-tale mark.
  4. I wanted to take a better look at the views, to see if those could tell me more.  There were rather a lot of columns in the default view, so I had to do some horizontal scrolling to get to the Views link.
    “Draft” I suddenly noticed in the right-hand column.
    “0.1” I saw in the column next to it. That column was called Version.
HH-FullDocumentLibrary
I had not seen the “Version” and “Approval Status” columns in my earlier investigation…

AHA.

The solution

In the Versioning settings I noticed that content approval was enabled, and only people with approve permissions and the author could see drafts.

HH-ContentApproval
The Content Approval settings

Both documents had never been approved and were therefore visible for only a few users.  Everyone else got a “you do not have access” as for the majority of users, these documents were not yet accessible.

That explained why I could see it as an admin, but not as a normal user.

The site owner was not aware of the versioning as he had inherited the site. When I explained, he decided to turn of the content approval as that was not really needed for these documents.

Another issue solved! Now would you classify this as a document management issue or a permissions issue?

Image courtesy of vectorolie at FreeDigitalPhotos.net

Advertisements

SharePoint Holmes and the disappearing Datasheet View

SPHolmes1Part of my role is solving user issues. Sometimes they are so common that I have a standard response, but sometimes I need to do some sleuthing to understand and solve it.
As many of my readers are in a similar position, I thought I’d introduce SharePoint Holmes, SharePoint investigator, who will go through a few cases while working out loud.

The first case is about a Datasheet View.

The case

One of the users of a site did not see the items in a list. Having access to the data was a requirement for his role and he had always been able to see this content before it was migrated to SharePoint Online.

So, I put on my SharePoint Holmes cap and rolled up my sleeves.

The investigation

  1. I logged in with my Admin account and went into the site.
  2. I saw the items perfectly well. Just items in a Datasheet view.
  3. Permissions check – the user had Read permissions to the site.
  4. Items with unique permissions check – the list had unique permissions but the user had Read access.
  5. Item-level permissions check – in the Advanced List Settings it showed that all items were visible to all users of the site.
  6. Workflow check – no workflow reducing permissions after going through a process.

Right, that was an interesting one.

  1. It was time to look through the eyes of the user, so I added myself to the same user group and checked. An empty list stared back at me.
  2. I went through the other views and found a standard one. I could see the items in there, and so could my user.
  3. One of my colleagues mentioned that issues with the latest IE update had been reported, which might have influenced the Datasheet view.  We tried different browsers. That made no difference, but there was always that difference between user and admin.

Hmmm….

The solution

Search engine to the rescue! One of the results surprised me, and I had to test that.

I created a datasheet view in my own tenant. It looked like this:

SPHolmes-Datasheet-Owner
What the Admin sees

Then I logged in with Contribute permissions. It looked like this:

SPHolmes-Datasheet-Contributor
What a Contributor sees

Then I logged in with Read permissions. It looked like this:

SPHolmes-Datasheet-Reader
What a Reader sees

You need at least Contribute permissions before you can see items in a Datasheet view.

The Datasheet view is meant for editing, so only people with edit permissions can see items in it. It makes sense and I have always told people to use the Datasheet view very sparingly as it is only too easy to change something. The many Excel-addicts in my user base however loved it and have also used it for display purposes in our SharePoint 2007 intranet.
Now they either have to elevate permissions or recreate their views.

Interestingly enough this was a permissions issue, but different from what I have ever seen before!

Image courtesy of Geerati at FreeDigitalPhotos.net

7 SharePoint permissions bloopers

Permissions bloopers 4

The other day I came across an interesting tweet:

Yes, been there, done that! And this made me think of all those other times that I, or my users, have made a mistake with permissions, either by forgetting to think and doing this on routine, or by ignorance.
Here they are, for your learning and enjoyment.  Laughing is allowed; sharing your own bloopers is encouraged!

2. Deleting a group

Did you know that deleted Groups do not go via the Recycle Bin, so they are gone for good?
So, when you want to do this, first check to which content the group has access. If that is only to your site, you can safely delete it; if is has permissions to other sites, please talk to the owner(s) of the other site(s) first!

How to check: Click on the group name on your permissions page, click Settings > View Group Permissions and you will see a pop-up like this:

accessforgroups
In this case the group only has access to one site, so it can safely be deleted if needed.

3. Removing a group from a site and forgetting its name

Good luck finding that in your site collection’s list of groups! (which likely contains at least 3 x as many groups as there are sites, and most likely many more)

A good naming convention, as well as keeping some documentation or screenshots of your permissions setup may help limit the damage. Another good idea is noting the MembershipGroupID’s of the group’s URL. These can be found in the group’s URL, e.g.

…/Share/_layouts/15/people.aspx?MembershipGroupId=165

The 3 default groups of a site are created with subsequent numbers, so if you remove one of those you can probably find them by changing the MembershipGroupID at the end of the group URL. In the screenshot above, Owners, Members and Visitors group have numbers 164, 165 and 166, respectively.

4. Clicking on “manage parent” to edit permissions

You need to change permissions of a site that has inherited permissions. Without thinking you click on “Manage parent” and start making changes, not fully realizing that you are now changing the permissions for both sites. You should have clicked on “Stop Inheriting Permissions” first!
The damage can vary.
I have once changed the top site of a site collection that way. The good news was that I finally got rid of a lot of outdated “Limited Access” users, but it was only later that I realized I had also removed everyone’s permissions from various site collection galleries.

5. Removing yourself from a group, site or library

This is generally annoying but benign, as long as you have quick access to a site collection administrator who can add you back.  I get about one call a week from someone who has locked themselves out.

6. Not clicking “Show Options” when you  share something with “Everyone”

Sharesitewitheveryone
Do click that “show options” link on the bottom of the Share screen!

This sends an email to all the company (and gives them contribute permissions if it is a site). Well, at least people know you and your site exist, but I do not know if “Everyone” will appreciate your marketing tactics! 🙂

And (in my opinion) the most disastrous of them all:

7. Inheriting the permissions from the parent site

You click “Delete unique permissions’ without realizing you are not at the document library, but at the site level. The permissions of your site will now be the same as the parent site.
You may not be the site owner of that site. Even worse, you may not even have access! An even if someone is kind enough to create unique permissions again and give you back your access, all unique permissions are gone.

An example: this site has unique permissions.

UniquePermissions
If you see “This Web Site” you are at site level!

This site has some content with different permissions

UniqueExceptions

When I click “Delete unique permissions” in the site I get a warning in a mix of English and Dutch – which is the first time I have seen this:

UniquePermissionsWarning

And if you click OK the permissions are inherited from the parent and there are no unique permissions anymore. The original groups also have no access anymore.

Uniqueafterinherit
No content with unique permissions after inheriting permissions from the parent site.

While this may be a good reset of your site if you have completely lost the overview of the permissions, it can be a nightmare if you have a well-managed site with confidential content that needs well-managed unique permissions.

General recommendations

  • Make sure you have an overview of the permissions of your site. It can be a simple mention in the description of the list or library (“this list is only accessible for the MT”), or a separate document with a detailed description.
  • Stop and think before you hit a button – if in doubt contact your help person.

Have you made any other permissions management mistakes? Do share!

Where do SharePoint permissions live?

permissions-treasuremapAfter we moved to SharePoint online, users did not know how to find or change permissions in folders and items anymore. In general I prefer to keep it that way 🙂 but I was curious to learn how it was done now, since I provide support on permissions issues.

Permissions pages for sites and lists/libraries have not changed for ages, but in SharePoint Online you have to follow a different path than before to get to the permissions page for folders, documents and list items.

When talking about the permissions page: I am referring to a page like this:

Permissions Page
The permissions page has a complete overview of groups and individuals, the ribbon, and a yellow bar with information about unique permissions in this unit, users with limited access and more.

Of course you can see the permissions page via my new BFF, the link “show items with unique permissions” on the Site Permissions page, but there are times when you do not want to see if there happens to be an exception, but what the permissions actually are for a certain folder or item.
(I recently saw a site with so many unique permissions that I completely lost track and could not figure out what was NOT in that list)

I am not very good at drawing or illustrations, but I want to learn. Here’s my attempt to show how to find the permissions page for a team site, containing a list, containing a folder, containing an item. (An item can be inside or outside a folder)

Folders and items: Details pane in list/library

Whether the item is in a folder or not, in both situations the permissions page is found via the details pane.

Details Pane
The details pane is on every list/library and is context-sensitive. When you select a folder, document or item it shows info for the selected item.

You need to be in the list or library (i.e. via Site Contents) to see the details pane. When you click “Change permissions” under “Has access” (this will be under the metadata) you will see this:

Permissions-advanced 2
Go to the permissions page via the details pane

You can also go to the above place by using the new Share interface and clicking the … top right and then the “Manage Access” link that appears which leads to a similar pop up as the screenshot above. Click “Advanced” to go to the Permissions page.

Permissions -advanced 3
The new Share interface with …

Folders and items – Share/Get a Link in web part

If you use a list or library web part, and the … are displayed, you can use the “Share” or “Get a Link” option to get there using the “Shared with” link and then clicking “Advanced”. The web parts use the “old” Share experience, which I expect will be replaced with the new Sharing experience, above.

Permissions-advanced1
Web parts still use the “old” Share interface. I expect this will change over time.

Have you found any more ways to go to the page with the permissions?

photo credit: MontyAustin Goonies Treasure Map via photopin (license)

350 intranet promotion videos!

350 videosRecently I passed the 350 mark in my collection of intranet and Yammer promotion videos. Time for another modest celebration!

New trends

More and more intranets are promoting a section for video content, so I guess this is a new trend.
Otherwise, “simplification” and “user feedback” still play an important role in every relaunch, and so they should 🙂 .
Also, more and more intranets (but not all!) are social, and “usable on all devices” is starting to be the norm, rather than the exception.

Of course my collection is meant for your information and amusement, but I occasionally hear that people are using it as a serious starting point for their own video. In general, I can suggest the following steps:

1. Check what related organizations have done

Use the filter and see what your industry peers are doing, and what their intranets look like, if the video shows that. Most selections contains a variety of styles (talking heads, animations, demo’s, stories, serious, funny, etc. ) that may give you ideas about the sort of video you would like to create.

2. Determine your boundaries

Watch my list of rather extreme videos. Do you also want to create a full movie, a very silly video, have a hysterical voice-over, or would you rather stay on safer ground?

3. Watch metaphors for solving common business issues

If you are looking for metaphors of solving common business problems such as too many emails, or not knowing where the expertise is in your company, this selection may help you on your way.

4. When in doubt, create a demo

A well-made demo is always worth the investment, so if you have no other needs or wishes, a demo may be the best way moving forward.

  • you can show employees how to work with the intranet, reducing the need for extensive classroom or webinar training
  • you can show employees how they are supposed to work, if a new way of working is among your goals for the new intranet. In a demo video it can be done subtly and matter-of-fact.
  • it can be used for onboarding new employees for a long time after the launch
  • if you share it, we can see your intranet! 🙂

This is my selection of good demos.

I hope you can use these tips to create your own video. And please remember to put it online for others to enjoy!

It never ceases to amaze and delight me that so many people enjoy my videos. I even got sort of suggested for the Diamond Award of IntranetsNow 2017!

Treat!

And finally, to celebrate, I have a very special video: the one that was made to celebrate the launch of the new intranet of my former employer Sara Lee, in 2005. It has not been added to my collection yet – you saw it here first! It is “vintage”, so please ignore the bad quality 🙂

And then to think this all started as a whimsical blog post!

Image courtesy of vectorolie at FreeDigitalPhotos.net (“350” added by me)

91 ways to display Summary Links

SL-headerYou can use Summary Links to display links on a SharePoint page.
It appears to be a forgotten web part. Microsoft has written support information about it for SharePoint 2007 which is still mostly correct today, so it appears not to have changed since launch.  I have not found many blogs about it; even Greg Zelfond did not mention it recently when he explained the various Links options in SharePoint.

I have always preferred the Links List, since that allows all the flexibility of a list AND you keep the data if you remove the web part from your page or mess up the view. Additionally, if you remove a link it will go to the Recycle Bin.
My main concern with Summary Links is that it only exists on the page, so if you accidentally delete a link or the web part you have to start all over again from scratch. However, it has its uses:

  • When you want to add icons or pictures to your links
  • When you need multiple columns, e.g. as a footer on your site
  • When you want the links list to make a visual difference to your page

Adding the web part

Click the Gear wheel and select Edit Page from the menu.
Click the zone where you want to add the web part. This will often be the Right zone or a Bottom zone if you want to use it as a footer, but it can be anywhere you want.
Click “Content Rollup” in the web part gallery and you will see Summary Links.

SL-webpart gallery
The Summary Links web part can be found under Content Rollup

You can edit the title of the web part, hide it, and do the usual things via the web part menu. Adding links and groups and changing style are done in the web part itself.

SL-Webpart config
All “work” on the content is done in this Edit view

Adding links

If you want to group your links, it is best to create your groups first so you can add any new link to an existing group immediately. You can select a style later.
Adding a link gives you the following screen:

SL-New Link
The New Link screen.

You can either browse for pictures or for the items you want to link to (e.g. pages or documents that live in your site or site collection) or you can paste the URL’s.

How to change the styles for links and groups

Now, suppose you have some links added to your web part and you are curious to see how they display on the page. Click “Stop editing” and see what your page looks like. The default setting is quite good, but there are other options.

To change the style, put your page in Edit mode again, go to the web part and select “Configure Styles and Layout”.
You then get the screen below which allows you to select one of 13 Links styles and one of 7 group styles. That’s 91 combinations to choose from!

SL-configurestyles
You can change the default style of newly added links, but also change all existing links in one go.

To save you time, I have created a Summary Links web part and tried all styles and groups. They are in the file below so you can easily scroll through them to see

  1. What the web part itself looks like (left)
  2. How the page looks with this style (right). The size of the web part will vary greatly depending on the style chosen and the rest of the information on the page, so this is a factor to reckon with.

Please view in full size!

Save a copy!

Once you have added all your links, and you are happy with the end result, it is wise to create a copy in case you need a restore. You can do that via Edit page > Open the web part menu > Export. You can then save a copy to your PC and/or in your site.

Enjoy the variety! What is your favorite style?

Image courtesy of atibodyphoto at FreeDigitalPhotos.net

 

 

7 steps to clean up unique permissions

cleanup-headerIn my latest post I showed you how you could limit the options to share the content in your site. I hope that you have made some decisions, so now it is time to clean up the mess.
Let me remind you why too many options to share can turn into a problem:

  • Sharing a document or list item, or using the “Get a Link” option, creates unique permissions, and that means that the permissions of a document or list item no longer follow the permissions of the site. So if you add a new group (recommended) or a new person (not recommended) to the site, this group or person will not automatically get access to those items.
  • This will lead to unexpected access denied messages and therefore Access requests.
  • Approving Access requests may lead to more unique permissions AND they give people Contribute permissions by default, which may be too much.
  • Unlimited sharing (especially with external users) can lead to your documents falling into the wrong hands.

So, how to take back control of your site after you have changed some of the settings?

Have a note-taking system ready – paper, OneNote, Notepad, document – whatever is your thing. You will need to make some notes.

1. Process pending Access requests

Go to Site Settings > Access Requests and Invitations and see who has requested access.
Click the … next to each name and add people to site groups as much as possible. If you do not see the site group mentioned, note down their names with the group that you want to add them to.

2. Remediate content with unique permissions

a. Go to Site settings > Site permissions and click on this link:

Cleanup-Show items
Show the items with unique permissions, intended and accidental. Very useful functionality!

b. You will get a pop-up with all lists and libraries that have different permissions.

Cleanup-showitemsiwhtuniquepermissions
Focus on the lists with “View exceptions”. Those contain the items where you have created unique permissions by accident.

c. The items marked as “manage permissions” are usually lists and libraries that have different permissions by design. Skip these.
d. Click on “view exceptions” for the first list or libraries that has this mentioned. You will see all documents (including pages and images) or list items that have unique permissions.

Cleanup-Documentswithuniquepermissions
List of documents (or items) that have unique permissions. Rightclick “manage permissions” and open the link in a new tab.

e. Using Rightclick > Open in new tab, click “manage permissions” for the topmost item.  (If you just click “manage permissions”, you will have to start at a. again for the next document or list item)
f. Check if there are any people mentioned that you may want to add to one of the site groups, and note down their names + intended site group.
g. Click “Delete Unique permissions” to re-inherit the permissions from the list or library.

Cleanup-deleteuniquepermissions
After noting down Kimberley B as a potential Visitor click “Delete Unique Permissions” to bring the document’s permissions in line with the rest of the document library and site.

h. Repeat steps e, f and g for the next document or list item.

3. Weed out “limited access”

Limited access is an annoying thing that tells you that there are, or have been, unique permissions – or it may mean nothing at all.
If this site has existed for some time and you do not know it very well, you can skip this step for now because you might remove people who are there for a good reason.

a. Go to Site settings > Site permissions and click on this link:

Cleanup-Show users
Show people with limited access. This can be caused by Sharing, Get a Link or accepting an Access request.

b. Check if there are any people mentioned that you may want to add to one of the site groups, and note down their names + intended site group.

Cleanup-RemoveKimB
You can remove Kimberley B from this page. (“Beperkte toegang” means “Limited Access”)

c. Remove any individual users so you are left with only the site groups.

4. Add the new users

Add the users that you noted down during steps 1, 2 and 3 to their respective groups.

5. Review the Members group

During the time that you had no restrictions, Members may have added other Members.  Review your list of Members and change their roles or remove them where needed.

6. Replace any “breaking links” on your pages

Hover over every link on every page in your site and look at the link in the bottom-left of your screen. Links of the “Can View” or “Can Edit” type  will generally have  “guestaccess”  in their link and they will cause unique permissions.

When I did not know all this yet, I had created some Promoted Links with the “Get a Link – Can View” link to a page. As soon as I created the link, the permission inheritance for the page was broken and everyone who clicked on the link was added as individuals to the page.

Cleanup-GetaLink
Link “”Document 5″has been created with “Get a Link”. The URL is: …../Team/Share/_layouts/15/guestaccess.aspx?/….

Replace every one of those links with the “Restricted Link” equivalent.

7. Monitor

Review on a regular basis if the restrictions and the cleanup work make you feel more in control of your site. Depending on your choice of measures, you may need to do more approvals from Visitors or Contributors who want to share content.

How have you dealt with the “Unholy trinity of creating unique permissions” 🙂 ? Would you like to share your frustrations or have you found a good way to deal with this that other readers can benefit from?

Image courtesy of artur84 at FreeDigitalPhotos.net