I've got a Sitecore Multilist that has several pre-selected items on it. Certain users aren't able to see the items on the list, because they don't have read access to the items.
The problem I've run into is that these users have some 12 roles and I can't figure out which one is restricting their read access to the items in the list. Is there an easy way to figure out which role needs to be modified to give them read access to these items?
I'm running Sitecore 7.2
You can use Sitecore Access Viewer application from Sitecore Desktop (Sitecore -> Security Tools -> Access Viewer).
Select chosen user
Find item which is not allowed for that user
Click on the 'Read' column.
You will see explanation why access is denied in right column
Related
I want to restrict users from seeing the content of a list when they navigate to "site/Lists//AllItems.aspx". All I want them to see is the message "There are no items to show in this view of the "" list." I've already checked permissions but everything is set properly. We are not using audience targeting.
Configure the list view to use a filter that returns no result. For example, if the smallest ID in the list is 9, set the filter to show ID equals 8
Such hacks will not prevent savvy users from viewing the data though. Access and permissions should be configured properly. Consider removing user access to that list entirely, so only administrators can see it.
First break permission on your list or library by "Stop Inheriting Permissions"
Go to the list, library, or survey and open it.
Go to the Permissions page using the steps in the previous section.
To break permissions inheritance from the parent, select Stop Inheriting Permissions.
Assign unique permissions in SharePoint 2019, 2016, or 2013 server
You must break inheritance from the parent site before you can grant unique permissions. Once you've broken inheritance using the steps in the section above, follow these steps to grant unique permissions:
Go to the list, library, or survey and open it.
Go to the Permissions page using the steps in the previous section.
Select Grant Permissions on the Permissions tab.
Delete Unique Permissions button
Note: If the list or library is inheriting from the parent, you won't see Grant Permissions.
In the Share... dialog box, make sure Invite people is selected, and then type the names of the people or group you want to grant access to in the Enter names or email addresses... box.
Share dialog box
Add a personal message if you like.
Check or uncheck Share everything in this folder, even items with unique permissions. This will grant or restrict access to items you already set unique permissions for. (This option is only available for folders.)
The permission level granted is set to Edit by default, which means the people you invite can make some changes to the list, library, or survey. If you want to grant a different permission level like Read only, click Show options and change the selection in the Select a permission level box.
An email message will be sent to everyone in the Invite people box. If you don't want this to happen, click Show options, and uncheck Send an email invitation.
When you're done, click Share.
Hope this can solve your issue:
https://support.microsoft.com/en-us/office/customize-permissions-for-a-sharepoint-list-or-library-02d770f3-59eb-4910-a608-5f84cc297782
I have Created the SharePoint custom List with 3 views(Ex.test1,test2,test3).
I want to assign 3 views to 3 user,one should not have permission to view other's view.
Any help would be appreciated.
As far as I know, this is simply not possible, i.e. assigning views to a certain user. You can have 'Public' views (visible to everyone with access to the list as the name implies) and 'Personal' views (visible only to the user who created them, the user must have the relevant permission enabled for this). Personal views cannot be shared.
Also, if it is critical that data is only visible to certain users and not others, a user can look at items not in their View by simply changing the ID in the Item View in the URL so View filtering is not a good way to go about this.
Could you please elaborate on what exactly are you trying to achieve, i.e what is the difference between the views etc.?
UPDATED:
Here you can get another good solution.
https://sharepoint.stackexchange.com/questions/253723/restrict-list-view-to-role-sp-o365
It is really good solution because you need only admin rights and no code.
You need to create folders, break role inheritance and add permissions on folders.
My OLD answer:
From my experience It is depend on what is your expectations from solution, your limits, what you want to get and what things you can sacrifice and in some cases what SharePoint edition you are using.
Note: SharePoint does not have out-of-box fully customizable list item permissions.
I can say about some expectations, some details, some solutions and workarounds and how to implement this.
You can try to get something that applied to you:
.1. You want to disallow users to see other users views. But:
users with specific permissions can create their own views and therefore they can create views with all fields and all list items data from other disallowed views,
users can get data about all fields in list items and all list items from REST API, JSOM API and other SharePoint out-of-box web services,
users can open any list item, change URL item ID to another and see any data from other list item.
To achieve this you can:
.1.1. Open list under each user and create its own Personal View.
Personal Views displayed only for individual users.
.1.2. Create Public View and set its Target Audience.
Open view page -> in right corner click Gear icon -> Edit Page -> on the page click arrow icon on list view web part -> Edit Web Part -> Section "Advanced" -> Field "Target Audiences".
If you does not have this option then enable target audiences.
List Settings -> Audience targeting settings -> Enable audience targeting.
In audiences you can specify SharePoint users or groups who has permissions to see this web part.
Here you can see different uses of audiences and how to enable it on list or library: https://support.office.com/en-us/article/target-content-to-specific-audiences-33d84cb6-14ed-4e53-a426-74c38ea32293
.1.3. Create Public View, open its page, edit page, delete List View Web Part, add Content Query Web Part and set its Target Audience.
Here you can see info about Target Audiences:
https://support.office.com/en-us/article/target-content-to-specific-audiences-33d84cb6-14ed-4e53-a426-74c38ea32293
But I didn't perform this by myself.
.1.4. Add javacript to list view page.
This javascript will check user permissions and hide view or redirect user to some other location or will make other actions.
.2. Users cannot see other users created list items from any source (any list views, any API and web services).
.2.1.
Note: this is limited. User can only read, edit list items which created by him. You cannot apply this on other users created list items.
To achieve this you can:
List Settings -> Section "Advanced settings" -> Block "Item-level Permissions" -> "Read items that were created by the user" and "Create items and edit items that were created by the user" options.
.2.2. Create different lists for different users with different permissions.
.2.3.
Note: this is limited by SharePoint unique permissions limits.
You can create SharePoint workflow that run on list item creation. This workflow will break list item role inheritance and set new permissions for this items by some conditions.
This is may be good but here some limits exists. SharePoint limit list to have more than some limit number of list item unique permissions.
.2.4. I don't know if SharePoint has some limits to this but you can try and I don't know if you can perform this from public API but you can try to investigate.
You can create SharePoint workflow that run on list item creation. This workflow will set Target Audiences on list item.
Here you can see info about Target Audiences:
https://support.office.com/en-us/article/target-content-to-specific-audiences-33d84cb6-14ed-4e53-a426-74c38ea32293
.2.5. If you use SharePoint On-premise edition then you can add:
.2.5.1. List event receiver that run on list item Create event and perform following actions:
- break list item role inheritance and set new permissions for this items by some conditions
OR
- set Target Audiences on list item
.2.5.2. Create Timer job, deploy, schedule it in SharePoint Central Administration.
This timer job will be check newly created list items periodically and:
- break list item role inheritance and set new permissions for this items by some conditions
OR
- set Target Audiences on list item
.2.6. You can create Console Application (c# language) that connect to SharePoint, check newly created list items periodically and:
- break list item role inheritance and set new permissions for this items by some conditions
OR
- set Target Audiences on list item.
This console app can be scheduled on any server in your company through Windows Task Scheduler.
.2.7. You can write Powershell script that connect to SharePoint, check newly created list items periodically and:
- break list item role inheritance and set new permissions for this items by some conditions
OR
- set Target Audiences on list item.
This Powershell script can be scheduled on any server in your company through Windows Task Scheduler.
.2.8. You can create Windows Service (c# language) that connect to SharePoint, check newly created list items periodically and:
- break list item role inheritance and set new permissions for this items by some conditions
OR
- set Target Audiences on list item.
This windows service can be installed on any server in your company.
.2.9. May be you can create some other periodically running code (like Workflow, Console App, PowerShell script, Windows Service) in any server.
This code will:
- break list item role inheritance and set new permissions for this items by some conditions
OR
- set Target Audiences on list item.
I think code wrapper not limited to any implementation.
I think this ways is applicable to many cases.
If you want more customizable control, or you have some limits in implementation, then you can create many workarounds by many ways. Workaround can close many permissions holes but may be not all holes:
.1. You don't want user can create views from list view page UI.
You can add javascript to hide ribbon, buttons or some other UI elements to disallow user to create its own view or to switch to another user view.
If user is smart he can avoid this by using REST API, JSOM or web services to get neccessary list item data.
.2. You don't want user can see any list item data changing URL list item ID to another.
.2.1. You can add some javascript on default form pages.
On New Item form page, on Display Item form page and on Edit Item form page.
This javascript will be check user permissions and hide data or redirect user back to list view page or somewhere.
.2.2. You can create HttpModule that intercept web requests and check user permissions and redirect him to another page if he don't have permissions.
HttpModule must be added to IIS and SharePoint web config.
.3. You can try to disallow REST API, JSOM using but I didn't do that.
I think you can add HttpModule to IIS that will intercept web requests and check user permissions and return bad request HTTP status codes and error messages.
But I didn't yet try this by myself.
Here you must know all API endpoints to close access to them.
May be here exists many other different workarounds but I don't remember about them now.
Try something from what I said. May be it help you.
If I have an item in draft state and I go to Experience Editor, the add new component is disabled and I cannot add any new components for an Editor role.
Any idea where should I look?
It sounds like member Roles are the issue here.
Look into including one of the Designer roles (Designer / Sitecore Client Designing)
From Sitecore security roles documentation:
Sitecore Client Designing
Gives the user access to Experience Editor Design pane features that allow a user to set layout details associated with items in the Sitecore client.
Members of this role are: Designer
and
Designer
Gives the user read and write access to the areas of the content tree
that are required when changing layout details for individual items
and groups of items via template standard values, as well as items
required when configuring the Experience Editor Design Pane.
This role also has two of the Sitecore Client roles assigned to it, so
if you assign just this role to a user, the Sitecore Client Designing
and Sitecore Client Users roles will be automatically assigned to the
user.
This role provides access to the Experience Editor Design Pane
features and the designer options in the Content Editor.
Note This role is not a member of the Author and Authoring roles, so
it does not allow users to edit items.
Members of this role are: Developer
This sounds like a a workflow security issue. I would recommend using the Access Viewer to check the user's access to the item you are trying to edit. If it tells you that there is no access, the right side of the tool should tell you why. If the 'why' is workflow state access, you probably need to adjust your security on the Workflow state for 'Draft'.
I have a user who's been assigned the sitecore/Analytics Reporting role (member of Sitecore Client Users), and when I log in with that user I can see Marketing Center, Engagement Analytics and Executive Dashboard. I now want to give this user read access to a content item, but I can't make it work.
First of all, the sitecore/Analytics Reporting role already has read access to the content editor etc (inherited from the Everyone role), so why can't I see it? I created another role with explicit read access to the content item and assigned it to the same user, but I still can't see it. Does anyone know what I need to do for the user to see the content item?
I seen this a few times before with older Sitecore versions. Doing a Sitecore cache clear or IIS reset resolved it at that time.
After checking with Sitecore support they told me you have to add Sitecore Client Designer to your role (even though the Access Viewer shows you have read access you still won't be able to see it until you've added this role).
I am working on a website that uses Sitecore CMS. An intranet webpart was already created with restricted access.
In this intranet I've created a new page which should only be visible for 1 role. I have created the new role. I tried to mess around with the security of the page in the content editor (Security --> Assign). I published the changes. But no matter what I do, it doesn't seem to have any effect.
Any guidance would be greatly appreciated!
Open the sitecore desktop ( http://yoururl/sitecore/shell ), click on the 'sitecore' button, then 'security tools' and 'security editor'.
Select the 'anonymous user' account in the ribbon, click on the chosen page in the tree, and click 'x' near 'read'.
Then click 'select' in the ribbon and choose the proper role. Once again select the chosen node and allow 'Read' rights for the role.
Once it's done, you can use 'Access viewer' app (once again sitecore button and security tools on the desktop) to check whether the rights are set properly.
The trick is probably to deny access for the extranet\Anonymous user and then grant access for the role.
I like to use the Access Viewer or the Security Editor for that, instead of the Content Editor as it gives you a better overview.
Make sure to put inheritance to good use so you don't have to set security to each item individually but rather on the root of the site (if possible).
I advice you to take a look at the Sitecore Security Administrators Cookbook: http://sdn.sitecore.net/upload/sitecore6/securityadministratorscookbook-usletter.pdf