SharePoint Holmes and the Pesky Permissions

SH-Pesky-ByOllieArteThe case

“This user is losing her access all the time”, the site owner said. “She keeps getting an access denied and then asking me for access”.
Now I know that SharePoint permissions can be a bit of a nightmare, but I have not come across situations where people who have access, suddenly lose that without any actions on the side of the site owner or manager of the permissions group.

The site owner told me he had added her to a group in his site. This group needs Edit permissions to the Commercial documents, a document library with confidential information.

“When she gets that access denied message, do you find she has disappeared from that group?” I asked him, but he did not know that.  Not very helpful, but a site owner should not have to be a detective, of course; things should just work.

So…time to get my Detective paraphernalia out of the closet and set out on a hunt for clues.

The investigation

    1. First step: site permissions.
      The group was called L1-CommercialTeam, with Read permissions.

      SH-Pesky-Site permissions
      I still have not figured out why permission levels are mentioned in Dutch, but trust me: The L1-CommercialTeam has Read access on this site.

      That looked OK, knowing she would have Edit permissions on one library. And indeed, when I looked at the “Users with Limited Access” I saw this:

      Limited access because this group has Edit permissions on one document library.
    2. I checked the settings of the group. The user was a group member. The owner of the group was the site owner group, so there were no other parties who might have been messing about.
    3. I checked the permissions of the group: Read + Limited Access on the site, Edit on the document library. OK.
    4.  I checked the permissions for the library with confidential information. Indeed, the group had Edit permissions there.

      Enter a caption
    5. So, everything looked OK. What could have gone wrong? It is extremely hard to solve things that “occasionally happen” so I needed some time to think about next steps.
    6. I decided to have a look at all the permissions in the site, knowing that things can be more complicated than you might think at first sight.
      That was interesting: all 3 document libraries in the site had unique permissions, but the L1-CommercialTeam only had access to the Commercial Documents.

      All document libraries in this site have unique permissions
    7. I contacted the user and she confirmed that the she got the access denied when she wanted to go to the other document libraries.
    8. I contacted the site owner and asked him when he had created the Commercial Documents library and the group  – this had been done recently.

The solution

As the unique permissions in the other document libraries had been created before the L1-CommercialTeam group had been created and added to the site, the L1-CommercialTeam did not automatically get access to those libraries.

I informed the site owner about the permissions in his site – that all libraries had different permissions and that the user had requested access to the two libraries that she did not have access to.
He had inherited the site from a predecessor and was not aware of the unique permissions.
Besides, as the group appeared to have Read permissions at site level, he thought the group had access to everything. I can not blame him, really.

He gave the L1-CommercialTeam access to one library, and re-inherited permissions to the other. No access denieds have been reported since.

So, dear site owner, please check the unique permissions in your site on a regular basis. SharePoint Online has a very useful link on the site permissions page, which has turned into my new BFF:

This link allows you to see all libraries and lists with unique permissions, as well as libraries and lists that contain items with unique permissions.


About SharePoint Holmes:
Part of my role is solving user issues. Sometimes they are so common that I have a standard response, but sometimes I need to do some sleuthing to understand and solve it.

As many of my readers are in a similar position, I thought I’d introduce SharePoint Holmes, SharePoint investigator, who will go through a few cases while working out loud.

Image courtesy of Ollie Olarte.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s