Breaking Is Not Hard To Do

BreakingPermissionsDo you know what the following questions all have in common?

  • “I see a completely different homepage menu/libraries/folders than my other team members”
  • “I can no longer check out or edit a document”
  • “I know he has access to the list, but he can not access the link I send him”
  • “I have given her full control, but she still can not see that library”
  • “I can no longer access the site or library that I am supposed to manage”

Yes, you guessed it – these questions are all permissions-related.

It sounds really neat and useful to be able to limit access to sites, libraries and folders in SharePoint. It is easy to add groups and individuals and set it up just the way you think is best.
Many people, however, do not realize the full consequences of breaking permissions (= giving subsites, lists, libraries and folders different permissions than the site). As a result, I provide a lot of support on permissions-related issues.

I have found it hard to help users understand how it works in words, so I have created a series of pictures for clarification. You know I am not a designer, so if you have better visuals, please share!

Default site permissions.
First, let us show what the permissions in a “normal” site look like.
The fat dark blue line is a site. The blue blocks are libraries and lists. Or apps, as SharePoint 2013 calls them. 🙂
The purple circles are user groups. There is an Owners group (O) with Full Control, there is a Members group (M) that can read, add, edit and delete, and a Visitors group (V) that can read.

This is the default permission setup of a site - the site and all lists and libraries have exactly the same permissions.
This is the default permission setup of a site – the site and all lists and libraries have exactly the same permissions.

All lists and libraries have the same permissions throughout the site.
When we add an individual or another group to the site, (the circle with the person icon), this person/group will also have access throughout the site.

A new group or individual will automatically have access to all content.
A new group or individual will automatically have access to all content.

2. Site containing a library with different permissions.
Let us assume there is one library that contains confidential information, and we do not want Visitors to see that. You go to “Library Settings” and “Permissions for the library”, you edit permissions and remove the Visitors group. You add a note to the description of the library that this has different permissions. Visitors will not see the library anymore.
The permissions have now been broken, hence a dotted line around the library.

Broken permissions- one library has different permissions.
One library has different permissions, and Visitors no longer see or have access to the library.

Next, you want to add new people to the site. The best way is to add them to one of the groups – they will have the correct access. But if you add a new group or an individual to the site, they will not see the library. That is because the permissions have been broken, meaning that the site and this library no longer align and you need to maintain both entities. So, you have to give this person/group access twice…that is double the work!
But…Owners often forget that they have broken permissions. So they give someone access to the site, but that someone can not see the library. They then give that someone Full Control to the site, but they still can not see the library.
I hope the picture below shows you why.

Adding an indivudal to a site with broken permissions.
When you add an individual or group to the site, they do not automaticaly get access to all content. Permissions have been broken.

Now you know why I recommend to add a message in the description field of the library – that helps the Site Owner remember! And of course you see the benefits of adding new people to an existing group instead of as individuals.

So yes, breaking permissions is easy to do. Maintaining and supporting, however, is a lot of work!

Next time I will show you a few other scenarios.

You may also like:

The Key and the Team Site
Frankly my dear, they are just not that into your content

Title inspired by “Breaking up is hard to do” by Neil Sedaka.

Image courtesy of David Castillo Dominici at FreeDigitalPhotos.net

Advertisements

4 thoughts on “Breaking Is Not Hard To Do

  1. Beth February 16, 2014 / 9:56 pm

    Hi Ellen, thanks for posting the permissions info. Not sure if you know the answer but hoping it’s a setting. When I break inheritance it does not work. If i delete or change a person or group that was there before Inheritance was broken it changes upstream to the parent and other inh subsites. Thanks for any pointers. Beth. Sp2010

    • Ellen van Aken March 20, 2014 / 7:19 am

      Interesting question, Beth! Now if you add or remove someone from a group that has access to both sites, that is understandable, and exactly why I always suggest to use groups rather than individuals. But it is different for an individual. Are you sure that you have broken permissions consciously? I once thought I was adjusting permissions in a subsite, but I forgot to read the message saying “This site inherits permissions from its parent…etc.” So I started adjusting and only after making the changes I realized that I had automatically moved to the topsite and had adjusted permissions there. In the subsite, I should have clicked the Actions > Edit Permissions button first! Oh well, a good learning experience! But if that was not the case in your situation, please let me know!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s