@info – The practical side of SharePoint

Document Library Permissions

Posted by sharepoinTony on February 26, 2009

This is a true story where the names where changed to protect the innocent. That doesn’t make it a valuable story. I will let you decide what makes it valuable to you, I already got my value out of it.

The Beginning
A site owner went to their SharePoint Site Collection Administrator (SCA) with a problem. The owner had multiple document libraries and had created multiple folders in each library. She set permissions on each library and on each folder in each library by ‘breaking’ inheritance from the site and granting permissions to individuals and groups appropriately.

The site owner granted Read permissions to a specific user on each of the libraries. She also gave that user Read permissions to several specific folders within each of the libraries.

[Before anyone gets excited, you should know this department handles personnel files, awards & bonuses, reviews, new positions, etc. In this environment it is appropriate to create this structure because it allows staff to maintain all of these documents in one general area while also allowing segregation of information and the application of proper security for various people with varying needs.]

The Problem
The user with Read permissions reported that he could see all of the libraries and the folders he expected to see, but could not see the files in several of the folders. He could see the files in one folder in one of the document libraries.

The Questioning
The SCA verified what the user could see and not see specifically. Learned that the user could see everything that was expected, based on permissions, in the one library. He also learned that this user could browse through the site to the other libraries and see the appropriate folders in each. The user appeared to be ‘in’ a folder with a message saying there were “no items to display” just as when you navigate into a folder with no files.

The First Attack
The SCA checked the permissions at the Document Library and Folder levels. He checked the files within the libraries folders to see that the user in question did in fact have Read permissions within the folders. After checking and comparing the permissions between the library where the user could see the files with those “that didn’t work”, he went up a level and checked permissions for the site.

Everything seemed correct.

The Second Attack
The site owner said she had only added this user at the Library and Folder level, maybe the ‘auto-addition’ of the user at the site level was somehow corrupting something. (When you add a user to a Document Library that did not previously have access to the site housing the library, that user gets “Limited Access” permissions set on the site). Maybe we just need to start fresh. Yeah, let’s just remove all of this users permissions and try again very methodically and carefully. That didn’t improve anything.

The Third Attack
Maybe a test is called for. This is a permissions problem isn’t it? The SCA found a user who did not have access to any of these libraries, who could be temporarily trusted to see the files contained there. Adding this new user with Read permissions, exactly as had been done with the ‘problem user’ would be a good test. If the new user could see the files as expected then there must be something outside of the application of permissions causing this behavior. If the behavior was the same, then we swear quietly and dig in further.

Swearing Completed
So the same exact behavior befell the new user. What is missing…hmm, lets look at all of the settings for these Libraries. So the SCA set about to systematically look at every setting in the “good” Document Library and catalog the ‘notable’ items. Moving on to the other Libraries and comparing the settings he finds one significant difference. Versioning is turned on for the Libraries where the user cannot see the files as expected.

Hmm, let’s see what happens if we check that little radio button that tells us it will allow anyone with Read access to see Draft documents. Whattayaknow, the test user can suddenly see those files.

The Learning
When Versioning is on, your uploaded files are considered Drafts until you either Approve them if approvals are enabled, or Publish a Major Version. All of the files were uploaded and left as Drafts. Clicking the helpful link to “Learn more” about drafts will provide a very helpful explanation of how the process works and the impact on permissions.

Drafts are not visible to people with Read permissions, only to those with Contribute or Edit permissions for that Document Library/Folder/File.

This makes sense. If you are working on a document you probably don’t want everyone to see it while it is a draft. Once you are ready you make it available to the viewing public (Readers) by publishing it. Handy, if you know that is how it works. Neither our site owner or SCA knew of this feature, but they do now.

The wrap-up consisted of determining a) if versioning really was needed or not and b) if versioning was going to be used, then did they want Readers to see Drafts or would they learn to publish a major version and turn off the option selected during the test.  If versioning wasn’t truly needed, then simply turning off versioning would solve the problem.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: