UPDATE 11/03/08: Be sure to read the excellent and detailed comment from Dessie Lunsford to this post.
I’ve been working on a secret tech editing project for an up-coming book and it references this blog entry by Tyler Butler on the MSDN ECM blog. This is the first time I personally read a clear definition of the meaning of Limited Access. Here’s the meat of the definition:
In SharePoint, anonymous users’ rights are determined by the Limited Access permission level. Limited Access is a special permission level that cannot be assigned to a user or group directly. The reason it exists is because if you have a library or subsite that has broken permissions inheritance, and you give a user/group access to only that library/subsite, in order to view its contents, the user/group must have some access to the root web. Otherwise the user/group will be unable to browse the library/subsite, even though they have rights there, because there are things in the root web that are needed to render the site or library. Therefore, when you give a group permissions only to a subsite or library that is breaking permissions inheritance, SharePoint will automatically give Limited Access to that group or user on the root web.
This question comes up now and then on the MSDN forums and I’ve always been curious (but not curious enough to figure it out before today :)).
</end>
Follow me on Twitter at http://www.twitter.com/pagalvin
Hi Paul,
In our testing we’ve discovered an unfortunate consequence of adding "limited access" to the root site when unique permission are assigned to an item.
You’d imagine that this permission would inherit in a linear manner – i.e. from the root down through the sub-site, doc lib, folder, to the item itself. However, in our tests, it seems that at the Doc library level, View permissions are granted horizontally.
We have some team sites. If I have two doc libs – TestA and TestB – and I grant a user from outside the top-level group item-level access to a document within one of the libraries, he can also see the other libraries. They can’t view any documents within these libraries, but the fact that they can actually browse to them, is an unacceptable security breach for us. In fact, it seems to suggest that item-level security doesn’t really work in the strictest sense – i.e. you can manage at an item-level, but it also adds view permissions where you don’t want them.
This is quite a big deal for us and we’re having no luck finding a solution. I’m hoping I’m missing something really obvious. 🙂
Any ideas?
Mike