What is Limited Access Anyway?

3 Replies

UPDATE 11/03/08: Be sure to read the excellent and detailed comment from Dessie Lunsford to this post.

I’ve been working on a secret tech editing project for an up-coming book and it references this blog entry by Tyler Butler on the MSDN ECM blog.  This is the first time I personally read a clear definition of the meaning of Limited Access.  Here’s the meat of the definition:

In SharePoint, anonymous users’ rights are determined by the Limited Access permission level. Limited Access is a special permission level that cannot be assigned to a user or group directly. The reason it exists is because if you have a library or subsite that has broken permissions inheritance, and you give a user/group access to only that library/subsite, in order to view its contents, the user/group must have some access to the root web. Otherwise the user/group will be unable to browse the library/subsite, even though they have rights there, because there are things in the root web that are needed to render the site or library. Therefore, when you give a group permissions only to a subsite or library that is breaking permissions inheritance, SharePoint will automatically give Limited Access to that group or user on the root web.

This question comes up now and then on the MSDN forums and I’ve always been curious (but not curious enough to figure it out before today :)).

</end>

Subscribe to my blog.

Follow me on Twitter at http://www.twitter.com/pagalvin

Technorati Tags:

I Don’t Often Agree with Big George Will, But He’s Right About Dreary Outcomes

1 Reply

The closing thought on this otherwise dull article speaks well to problems we often face in the technical community:

"Such dreary developments, anticipated with certainty, must be borne philosophically."

This puts me in mind of one of the presentations I gave at the SharePoint Best Practices conference last month.  I was describing how to get "great" business requirements and someone in the audience asked, in effect, what to do if circumstances are such that it’s impossible to get great requirements.  For example, a given company’s culture places IT in front of the requirements gatherer / business analyst, preventing direct communication with end users.  This is a serious impediment to obtaining great business requirements.  My answer was "walk away."  I’m not a big humorist, so I was surprised at how funny this was to the audience.  However, I’m serious about this.  If you can’t get good requirements, you can be certain that a dreary outcome will result.  Who wants that?  I’m a consultant, so it’s more realistic (although terribly painful and drastic) for me to walk away.  However, if you’re entrenched in a company and don’t want to, or can’t, walk away, George (for once 🙂 ) shows the way.

</end>

Subscribe to my blog.

Follow me on Twitter at http://www.twitter.com/pagalvin

Technorati Tags:

SharePoint Designer Workflow and Email Attachments — A Consummation Devoutly to be Wished

Leave a reply

Sadly, it is not to be.  We cannot send an email with attachments from a SharePoint Designer workflow using out of the box features.  This wish comes up with increasing regularity on the MSDN forums.

However, the SharePoint platform, as with so many things, does offer us a path forward.  We can create custom actions which we then incorporate into our workflows.  Once installed, a custom action looks and feels like any other action (e.g. Collect Data, Log a Message, etc).

Creating a custom action is a big mountain to climb, however, for End Users.  This codeplex project provides this functionality: http://www.codeplex.com/SPDActivities.  Pulling that down and installing it is also beyond the skills of typical End Users.  However, it’s quite simple for a SharePoint admin to do it, so if you find yourself needing to develop a workflow with this capability, work with your SharePoint admin to get it done.

</end>

Subscribe to my blog.

Follow me on Twitter at http://www.twitter.com/pagalvin

Technorati Tags:

Quick Tip: Configure Security to Allow Admins to Access any My Site in SharePoint

Leave a reply

In a sign that Social Computing is beginning to take off with SharePoint, I see an increased number of My Site type questions.  One common question goes something like this:

"I am an administrator and I need to be able to access every My Site.  How do I do that?"

The trick here is that each My Site is its own site collection.  SharePoint security is normally administered at the site collection level and this trips up many a SharePoint administrator.  Normally, she already has access to configure security in the "main" site collections and may not realize that this doesn’t automatically work for My Sites.

Site collections collectively live inside a larger container, which is the web application.  Farm admins can can configure security at the web app level and this is how admins can grant themselves access to any site collection in the web application.  This blog entry describes one of my personal experiences with web application policies.  I defined a web application policy by accident: http://paulgalvin.spaces.live.com/Blog/cns!1CC1EDB3DAA9B8AA!255.entry.

Web application policies can be dangerous and I suggest that they be used sparingly.  If I were an admin (and thank goodness I am not), I would create a separate AD account named something like "SharePoint Web App Administrator" and give that one account the web application security role it needs.  I would not configure this kind of thing for the regular farm admin or individual site collection admins.  It will tend to hide potential problems because the web app role overrides any lower level security settings.

</end>

Subscribe to my blog.

Follow me on Twitter at http://www.twitter.com/pagalvin

Technorati Tags: ,

Quick Tip: Use “IsDocument:1” to Trim Search Results

4 Replies

Update 11/03/08: Fellow MVP Mike Walsh correctly points out that this is a WSS 3.0 / MOSS feature.  It does not work in WSS 2.0 or earlier.

Updatte 11/03/08: (Second update in one day!): Be sure to read the excellent comment from "nowise" for more info and another good xref link.

Two questions came up in rapid succession this week on the MSDN forums asking a variation of this:

"When I search a keyword, folders from my document library with that keyword in their path will come out first in my search results. I don’t want that to happen. Files with that keyword are more important to me.  I don’t want to see folders at all."

This is actually quite easy to do out of the box.  Simply add a "IsDocument:1" to the search query and SharePoint search (both WSS and MOSS) will restrict itself to showing actual documents.

</end>

Subscribe to my blog.

Follow me on Twitter at http://www.twitter.com/pagalvin

Technorati Tags:

Quick Fix: Web Services that Interact with SharePoint, InvalidOperationException

Leave a reply

A million years ago, I helped developed a web service that was invoked via a custom action for a SharePoint Designer workflow.  This week, the client wanted to move it to production (finally!) so we did.

The custom action worked fine, but the web service it invoked did not, giving us this error:

System.InvalidOperationException: This operation can be performed only on a computer that is joined to a server farm by users who have permissions in SQL Server to read from the configuration database. To connect this server to the server farm, use the SharePoint Products and Technologies Configuration Wizard, located on the Start menu in Administrative Tools.
   at Microsoft.SharePoint.Administration.SPWebApplication.Lookup(Uri requestUri)

Turns out that I forgot to add the service to the SharePoint application pool in IIS.  Once I did that, it worked fine.

This MSDN forum posting gave me the clue I needed: http://social.msdn.microsoft.com/Forums/en-US/sharepointdevelopment/thread/2c97c004-7118-4e06-a62c-b2b0ac07ac99

</end>

 Subscribe to my blog.

Follow me on twitter: http://twitter.com/pagalvin

Technorati Tags:

Using Delicious.com to Track SharePoint “v.next” Information

1 Reply

As I find resources on the web discussing features available in the next version of SharePoint, I’ll be adding them to my delicious bookmarks.  It appears that Delicious allows people to subscribe to a particular tag, so if you’re interested in what I find, when I find it, subscribe here: http://feeds.delicious.com/v2/rss/pagalvin/SharePoint_O14?count=15

</end>

 Subscribe to my blog.

Technorati Tags:

Congratulations, Natalya!

1 Reply

I just received word that my friend and colleague, Natalya Voskresenskaya was awarded MVP for SharePoint today.  I’ve been working with Natalya for almost 18 months now and it’s a well-deserved recognition.  Like all the MVPs I know, she’s strongly motivated by the community and her work with ISPA, among other things, is helping to make the SharePoint community one of the strongest and most helpful of any technically oriented effort on the planet.

Congrats!

</end>

VPN Strikes Again, Slowing Me Down and Ruining My Beer

Leave a reply

Tonight, I’m doing some hobby work with a virtual machine running on my desktop.  I’m connecting via IE on my laptop and I’m noticing horrible performance.  IE keeps freezing, especially when I access anything in the upper right hand corner that would cause a drop-down to, well, drop down.  I would click on Site Actions and things freeze up for a while.  They would freeze long enough for me to switch over to another browser window and do something else.  If I confine myself to navigating around from page to page, it’s reasonably quick, but even that feels slow.  Normally, things are very fast. 

I’ve had this happen to me before and I think that I ended up rebooting at the time.  I’m about to do that when I somehow notice I’m still VPN’d to a client from 2 days ago(!).  I disconnect and that that solves my performance problem.

</end>

Subscribe to my blog.

Technorati Tags: ,