SharePoint Holmes and the Pesky Permissions

SH-Pesky-ByOllieArteThe case

“This user is losing her access all the time”, the site owner said. “She keeps getting an access denied and then asking me for access”.
Now I know that SharePoint permissions can be a bit of a nightmare, but I have not come across situations where people who have access, suddenly lose that without any actions on the side of the site owner or manager of the permissions group.

The site owner told me he had added her to a group in his site. This group needs Edit permissions to the Commercial documents, a document library with confidential information.

“When she gets that access denied message, do you find she has disappeared from that group?” I asked him, but he did not know that.  Not very helpful, but a site owner should not have to be a detective, of course; things should just work.

So…time to get my Detective paraphernalia out of the closet and set out on a hunt for clues.

The investigation

    1. First step: site permissions.
      The group was called L1-CommercialTeam, with Read permissions.

      SH-Pesky-Site permissions
      I still have not figured out why permission levels are mentioned in Dutch, but trust me: The L1-CommercialTeam has Read access on this site.

      That looked OK, knowing she would have Edit permissions on one library. And indeed, when I looked at the “Users with Limited Access” I saw this:

      SH-Pesky-LimitedAccess
      Limited access because this group has Edit permissions on one document library.
    2. I checked the settings of the group. The user was a group member. The owner of the group was the site owner group, so there were no other parties who might have been messing about.
    3. I checked the permissions of the group: Read + Limited Access on the site, Edit on the document library. OK.
    4.  I checked the permissions for the library with confidential information. Indeed, the group had Edit permissions there.

      SH-Pesky-LibraryPermissions
      Enter a caption
    5. So, everything looked OK. What could have gone wrong? It is extremely hard to solve things that “occasionally happen” so I needed some time to think about next steps.
    6. I decided to have a look at all the permissions in the site, knowing that things can be more complicated than you might think at first sight.
      That was interesting: all 3 document libraries in the site had unique permissions, but the L1-CommercialTeam only had access to the Commercial Documents.

      SH-Pesky-Uniquepermissions
      All document libraries in this site have unique permissions
    7. I contacted the user and she confirmed that the she got the access denied when she wanted to go to the other document libraries.
    8. I contacted the site owner and asked him when he had created the Commercial Documents library and the group  – this had been done recently.

The solution

As the unique permissions in the other document libraries had been created before the L1-CommercialTeam group had been created and added to the site, the L1-CommercialTeam did not automatically get access to those libraries.

I informed the site owner about the permissions in his site – that all libraries had different permissions and that the user had requested access to the two libraries that she did not have access to.
He had inherited the site from a predecessor and was not aware of the unique permissions.
Besides, as the group appeared to have Read permissions at site level, he thought the group had access to everything. I can not blame him, really.

He gave the L1-CommercialTeam access to one library, and re-inherited permissions to the other. No access denieds have been reported since.

So, dear site owner, please check the unique permissions in your site on a regular basis. SharePoint Online has a very useful link on the site permissions page, which has turned into my new BFF:

SH-Pesky-Showtheseitems
This link allows you to see all libraries and lists with unique permissions, as well as libraries and lists that contain items with unique permissions.

 

About SharePoint Holmes:
Part of my role is solving user issues. Sometimes they are so common that I have a standard response, but sometimes I need to do some sleuthing to understand and solve it.

As many of my readers are in a similar position, I thought I’d introduce SharePoint Holmes, SharePoint investigator, who will go through a few cases while working out loud.

Image courtesy of Ollie Olarte.

Advertisements

SharePoint Holmes and the Embedding Enigma

SH-ObjectDetectiveSmallMy SharePoint Holmes cases are not extremely technical or complicated. Most of the solutions to the issues that I encounter have been amply described in blogs and Microsoft support. So why do I sometimes feel at a loss when I have a new issue to solve?

  • I am still learning about SharePoint Online
  • Users generally do not know what the issue is and they do not use the most precise language. Nobody likes an issue that stops you doing your job and calls for submitting a support ticket, so I can imagine you want to spend as little time as possible on that ticket.
  • As a result, things may have a different cause and solution than I expect from the description. I may think that it is permissions-related (I often do), while it may be PC, browser or document library settings. Or vice versa.

For instance “I can not manage my site” (to me, this sounds like a permissions issue) has meant different things in different circumstances:

  1. “I can not edit my site’s homepage” (because the page has been checked out to someone else – this is a document management issue, not a permission issue)
  2. “I can not manage permissions” (because I am not the owner of the group I want to manage – a permissions issue)
  3. “I can not manage this content in my site” (because this content has unique permissions and for one reason or another I am not in the site owner’s role here  – a permissions issue)
  4. “I do not know how to manage my site” is a training issue

With this SharePoint Holmes series I try to start with the issue as described by the user. As that is not always clear or correct, I sometimes start off on the wrong foot.

The case

“Hyperlinks in a document on SharePoint are not working” the title of the incident read.

Well, “not working” or “is broken” are always great and accurate descriptions that any support person loves to see 🙂 . So I called the owner and asked him to demonstrate the situation.

The issue was with a manual (in Word) that lived in a document library.  The document had some embedded documents as well as some hyperlinks to a company system.

The real problem was: “In this document, the embedded documents as well as some specific links can not be opened – they appear unclickable”

The investigation

    1. I opened the manual – I noticed that the document opened in Online format.
    2. I clicked on a number of links – all links to pages worked OK but I could not open the embedded docs. There was no “hotspot” or “zone” where the cursor showed something clickable.

      SH-Object Online
      The embedded Word document was not clickable
    3. The special links (to a certain system) looked properly configured, but they gave an error message.
    4. I could not find anything strange in versioning settings (no mandatory check out) or advanced settings. The opening behavior was set to “use the server default (open in the browser)” which is standard practice.
    5. I determined to take a better look at the document, because only that document caused the issue. I did not want to make changes to the content, so I downloaded it.
    6. I opened it in Word. The embedded documents could be opened – they had an active window. And I could open the special links too!

The solution

OK, this was easy. I changed the library’s opening behavior to “open in the Client application” and opened the document again. Yes, the embedded documents and the links were now clickable and opened without problems.

SH-Object Client
An active zone appears around the embedded document when opening the document in Word

I can not explain what was happening with the links but they could be opened in the Client software.

This is yet another illustration of the fact that the Online versions of the Office programmes are limited in functionality.

The owner of the manual was happy, but I suggested to upload all embedded documents into the document library and making links to them from the “Master Document”, instead of embedding. If they are in a document library, you can manage and update them online when needed, and the link in the Master document will always lead to an up-to-date document. If you embed the document, it will live on its own and there will be no history of changes or anything.

Which issues with the opening behaviour of document libraries have you encountered? (Apart from my earlier password-protected document case)

Image courtesy of Craig Whitehead on Unsplash.com

SharePoint Holmes and the Haunted Homepage

sphomepage-thumbPart of my role is solving user issues. Sometimes they are so common that I have a standard response, but sometimes I need to do some sleuthing to understand and solve it.
As many of my readers are in a similar position, I thought I’d introduce SharePoint Holmes, SharePoint investigator, who will go through a few cases while working out loud.

The case

“Oh, Ellen, I think I have done something terrible to my site”, the site owner said, a note of panic in her voice. “I keep getting requests for access, while this is a site for all employees, and I do not know what I have done wrong”.

We had already noticed a number of tickets where people complained that they had lost access to this important site (and it was period-closing time so many people had to upload reports).

My first thought was “I hope she has not clicked “Delete Unique Permissions” when on the site permissions page” because that inherits the permissions from the parent AND removes all unique permissions from the site.
Although I like that as a thorough cleansing option for when you do not know how your permissions are set, in this case it would have been rather disastrous.

SharePoint Holmes to the rescue! I put on my admin cap and ventured into the site.

The investigation

  1. I opened the site. No problems for me, but then I am an admin so I have permissions for everything.
  2. Gear wheel > Site Settings > Site permissions. Phew, “This web site has unique permissions” was still there. So permissions had not been inherited.
    There were a number of groups with a variety of permission sets, including a Visitors group with Read permissions, which included all company employees. That looked OK.
    Of course there were also a few items with unique permissions, but that is not unusual and it hardly ever leads to a sudden flood of support tickets.
  3. I looked at what had been set as the homepage. (Site Settings > Welcome Page). “Homepage_New”.  That made sense.

    SPHomepage-WelcomePage
    You can determine the welcome page yourself.
  4. I checked the Pages library. Yes, there was a page called Homepage_New and it was the page I had seen when I entered the site.
  5. It was time to check the permissions for the Pages library. Aha, “This library has unique permissions” and only the Owners (Full Control) and Visitors (Read) were mentioned. Good idea – you do not always want everyone with Edit or Contribute permissions to manage (and mess up) your pages.

    SPHomepage-Libraryperms
    The Pages library had limited permissions to avoid unwanted editing. But Visitors (Bezoekers) have Read (Lezen) permissions. (I have tried everything to get this page to display in English, not Dutch, but it does not work.)
  6. Then I noticed something in the yellow box: “Some items of this list may have unique permissions which are not controlled from this page”. And yes, one of the pages was “Homepage_New” to which only the Site Owners had access…

    SPHomepage-Pageperms
    The Welcome page had different permissions – in this case only the Owners had access.

The solution

I quickly deleted the unique permissions from the page so at least Visitors could access the homepage again. Then I informed the site owner what had been causing the issue.

So yes, this was a permissions issue, but everyone still had access to the site. It was only the Homepage that was restricted, leading everyone to believe that they could also no longer reach the content of the site.

Tip

When this ever happens to you or your audience, and you expect that you have access to this site (e.g. because you have always had access or you have just been invited), try checking Site Contents.
Take the root of the site (https://company.sharepoint.com/…/sitename/) and then add “_layouts/15/viewlsts.aspx?view=14” to it. Create the link and paste it in the browser.
If you still get an access denied, you likely have no permissions.
If you see the content, it means there is something wrong with the welcome page.

Has this ever happened to your users?

Image courtesy of Stuart Miles at FreeDigitalPhotos.net

SharePoint Holmes and the disappearing Datasheet View

SPHolmes1Part of my role is solving user issues. Sometimes they are so common that I have a standard response, but sometimes I need to do some sleuthing to understand and solve it.
As many of my readers are in a similar position, I thought I’d introduce SharePoint Holmes, SharePoint investigator, who will go through a few cases while working out loud.

The first case is about a Datasheet View.

The case

One of the users of a site did not see the items in a list. Having access to the data was a requirement for his role and he had always been able to see this content before it was migrated to SharePoint Online.

So, I put on my SharePoint Holmes cap and rolled up my sleeves.

The investigation

  1. I logged in with my Admin account and went into the site.
  2. I saw the items perfectly well. Just items in a Datasheet view.
  3. Permissions check – the user had Read permissions to the site.
  4. Items with unique permissions check – the list had unique permissions but the user had Read access.
  5. Item-level permissions check – in the Advanced List Settings it showed that all items were visible to all users of the site.
  6. Workflow check – no workflow reducing permissions after going through a process.

Right, that was an interesting one.

  1. It was time to look through the eyes of the user, so I added myself to the same user group and checked. An empty list stared back at me.
  2. I went through the other views and found a standard one. I could see the items in there, and so could my user.
  3. One of my colleagues mentioned that issues with the latest IE update had been reported, which might have influenced the Datasheet view.  We tried different browsers. That made no difference, but there was always that difference between user and admin.

Hmmm….

The solution

Search engine to the rescue! One of the results surprised me, and I had to test that.

I created a datasheet view in my own tenant. It looked like this:

SPHolmes-Datasheet-Owner
What the Admin sees

Then I logged in with Contribute permissions. It looked like this:

SPHolmes-Datasheet-Contributor
What a Contributor sees

Then I logged in with Read permissions. It looked like this:

SPHolmes-Datasheet-Reader
What a Reader sees

You need at least Contribute permissions before you can see items in a Datasheet view.

The Datasheet view is meant for editing, so only people with edit permissions can see items in it. It makes sense and I have always told people to use the Datasheet view very sparingly as it is only too easy to change something. The many Excel-addicts in my user base however loved it and have also used it for display purposes in our SharePoint 2007 intranet.
Now they either have to elevate permissions or recreate their views.

Interestingly enough this was a permissions issue, but different from what I have ever seen before!

Image courtesy of Geerati at FreeDigitalPhotos.net

7 SharePoint permissions bloopers

Permissions bloopers 4

The other day I came across an interesting tweet:

Yes, been there, done that! And this made me think of all those other times that I, or my users, have made a mistake with permissions, either by forgetting to think and doing this on routine, or by ignorance.
Here they are, for your learning and enjoyment.  Laughing is allowed; sharing your own bloopers is encouraged!

2. Deleting a group

Did you know that deleted Groups do not go via the Recycle Bin, so they are gone for good?
So, when you want to do this, first check to which content the group has access. If that is only to your site, you can safely delete it; if is has permissions to other sites, please talk to the owner(s) of the other site(s) first!

How to check: Click on the group name on your permissions page, click Settings > View Group Permissions and you will see a pop-up like this:

accessforgroups
In this case the group only has access to one site, so it can safely be deleted if needed.

3. Removing a group from a site and forgetting its name

Good luck finding that in your site collection’s list of groups! (which likely contains at least 3 x as many groups as there are sites, and most likely many more)

A good naming convention, as well as keeping some documentation or screenshots of your permissions setup may help limit the damage. Another good idea is noting the MembershipGroupID’s of the group’s URL. These can be found in the group’s URL, e.g.

…/Share/_layouts/15/people.aspx?MembershipGroupId=165

The 3 default groups of a site are created with subsequent numbers, so if you remove one of those you can probably find them by changing the MembershipGroupID at the end of the group URL. In the screenshot above, Owners, Members and Visitors group have numbers 164, 165 and 166, respectively.

4. Clicking on “manage parent” to edit permissions

You need to change permissions of a site that has inherited permissions. Without thinking you click on “Manage parent” and start making changes, not fully realizing that you are now changing the permissions for both sites. You should have clicked on “Stop Inheriting Permissions” first!
The damage can vary.
I have once changed the top site of a site collection that way. The good news was that I finally got rid of a lot of outdated “Limited Access” users, but it was only later that I realized I had also removed everyone’s permissions from various site collection galleries.

5. Removing yourself from a group, site or library

This is generally annoying but benign, as long as you have quick access to a site collection administrator who can add you back.  I get about one call a week from someone who has locked themselves out.

6. Not clicking “Show Options” when you  share something with “Everyone”

Sharesitewitheveryone
Do click that “show options” link on the bottom of the Share screen!

This sends an email to all the company (and gives them contribute permissions if it is a site). Well, at least people know you and your site exist, but I do not know if “Everyone” will appreciate your marketing tactics! 🙂

And (in my opinion) the most disastrous of them all:

7. Inheriting the permissions from the parent site

You click “Delete unique permissions’ without realizing you are not at the document library, but at the site level. The permissions of your site will now be the same as the parent site.
You may not be the site owner of that site. Even worse, you may not even have access! An even if someone is kind enough to create unique permissions again and give you back your access, all unique permissions are gone.

An example: this site has unique permissions.

UniquePermissions
If you see “This Web Site” you are at site level!

This site has some content with different permissions

UniqueExceptions

When I click “Delete unique permissions” in the site I get a warning in a mix of English and Dutch – which is the first time I have seen this:

UniquePermissionsWarning

And if you click OK the permissions are inherited from the parent and there are no unique permissions anymore. The original groups also have no access anymore.

Uniqueafterinherit
No content with unique permissions after inheriting permissions from the parent site.

While this may be a good reset of your site if you have completely lost the overview of the permissions, it can be a nightmare if you have a well-managed site with confidential content that needs well-managed unique permissions.

General recommendations

  • Make sure you have an overview of the permissions of your site. It can be a simple mention in the description of the list or library (“this list is only accessible for the MT”), or a separate document with a detailed description.
  • Stop and think before you hit a button – if in doubt contact your help person.

Have you made any other permissions management mistakes? Do share!

Where do SharePoint permissions live?

permissions-treasuremapAfter we moved to SharePoint online, users did not know how to find or change permissions in folders and items anymore. In general I prefer to keep it that way 🙂 but I was curious to learn how it was done now, since I provide support on permissions issues.

Permissions pages for sites and lists/libraries have not changed for ages, but in SharePoint Online you have to follow a different path than before to get to the permissions page for folders, documents and list items.

When talking about the permissions page: I am referring to a page like this:

Permissions Page
The permissions page has a complete overview of groups and individuals, the ribbon, and a yellow bar with information about unique permissions in this unit, users with limited access and more.

Of course you can see the permissions page via my new BFF, the link “show items with unique permissions” on the Site Permissions page, but there are times when you do not want to see if there happens to be an exception, but what the permissions actually are for a certain folder or item.
(I recently saw a site with so many unique permissions that I completely lost track and could not figure out what was NOT in that list)

I am not very good at drawing or illustrations, but I want to learn. Here’s my attempt to show how to find the permissions page for a team site, containing a list, containing a folder, containing an item. (An item can be inside or outside a folder)

Folders and items: Details pane in list/library

Whether the item is in a folder or not, in both situations the permissions page is found via the details pane.

Details Pane
The details pane is on every list/library and is context-sensitive. When you select a folder, document or item it shows info for the selected item.

You need to be in the list or library (i.e. via Site Contents) to see the details pane. When you click “Change permissions” under “Has access” (this will be under the metadata) you will see this:

Permissions-advanced 2
Go to the permissions page via the details pane

You can also go to the above place by using the new Share interface and clicking the … top right and then the “Manage Access” link that appears which leads to a similar pop up as the screenshot above. Click “Advanced” to go to the Permissions page.

Permissions -advanced 3
The new Share interface with …

Folders and items – Share/Get a Link in web part

If you use a list or library web part, and the … are displayed, you can use the “Share” or “Get a Link” option to get there using the “Shared with” link and then clicking “Advanced”. The web parts use the “old” Share experience, which I expect will be replaced with the new Sharing experience, above.

Permissions-advanced1
Web parts still use the “old” Share interface. I expect this will change over time.

Have you found any more ways to go to the page with the permissions?

photo credit: MontyAustin Goonies Treasure Map via photopin (license)

91 ways to display Summary Links

SL-headerYou can use Summary Links to display links on a SharePoint page.
It appears to be a forgotten web part. Microsoft has written support information about it for SharePoint 2007 which is still mostly correct today, so it appears not to have changed since launch.  I have not found many blogs about it; even Greg Zelfond did not mention it recently when he explained the various Links options in SharePoint.

I have always preferred the Links List, since that allows all the flexibility of a list AND you keep the data if you remove the web part from your page or mess up the view. Additionally, if you remove a link it will go to the Recycle Bin.
My main concern with Summary Links is that it only exists on the page, so if you accidentally delete a link or the web part you have to start all over again from scratch. However, it has its uses:

  • When you want to add icons or pictures to your links
  • When you need multiple columns, e.g. as a footer on your site
  • When you want the links list to make a visual difference to your page

Adding the web part

Click the Gear wheel and select Edit Page from the menu.
Click the zone where you want to add the web part. This will often be the Right zone or a Bottom zone if you want to use it as a footer, but it can be anywhere you want.
Click “Content Rollup” in the web part gallery and you will see Summary Links.

SL-webpart gallery
The Summary Links web part can be found under Content Rollup

You can edit the title of the web part, hide it, and do the usual things via the web part menu. Adding links and groups and changing style are done in the web part itself.

SL-Webpart config
All “work” on the content is done in this Edit view

Adding links

If you want to group your links, it is best to create your groups first so you can add any new link to an existing group immediately. You can select a style later.
Adding a link gives you the following screen:

SL-New Link
The New Link screen.

You can either browse for pictures or for the items you want to link to (e.g. pages or documents that live in your site or site collection) or you can paste the URL’s.

How to change the styles for links and groups

Now, suppose you have some links added to your web part and you are curious to see how they display on the page. Click “Stop editing” and see what your page looks like. The default setting is quite good, but there are other options.

To change the style, put your page in Edit mode again, go to the web part and select “Configure Styles and Layout”.
You then get the screen below which allows you to select one of 13 Links styles and one of 7 group styles. That’s 91 combinations to choose from!

SL-configurestyles
You can change the default style of newly added links, but also change all existing links in one go.

To save you time, I have created a Summary Links web part and tried all styles and groups. They are in the file below so you can easily scroll through them to see

  1. What the web part itself looks like (left)
  2. How the page looks with this style (right). The size of the web part will vary greatly depending on the style chosen and the rest of the information on the page, so this is a factor to reckon with.

Please view in full size!

Save a copy!

Once you have added all your links, and you are happy with the end result, it is wise to create a copy in case you need a restore. You can do that via Edit page > Open the web part menu > Export. You can then save a copy to your PC and/or in your site.

Enjoy the variety! What is your favorite style?

Image courtesy of atibodyphoto at FreeDigitalPhotos.net