Demo
Back
Digital Workplace

Item-Level Security, Sharing and the SharePoint Publishing Infrastructure Feature

The Scenario

Consider a scenario such as the following: you need to grant access to a specific document within a site to a user, but want to restrict that users access to the rest of the site. This is not so far-fetched, with temporary or external users often brought in to work on specific a deliverable, having no need to see anything else in the site or library. So, item-level security and the ‘Share’ button to the rescue, right? Well, if only it were that simple…

Here’s a document library containing a few documents:

Documents for CollaborationNow, this site is not accessible to many users in our organization as it contains sensitive information. However, we’d like to share the “Coffee Collaboration” document with a specific user while ensuring that the other documents are not visible to that user. Given the tools at our disposal we reach directly for the ‘Share’ link on the ‘ellipses’ (context menu):

Let's Collaborate

So far, so good, right? James receives the email with a link directly to the document that he clicks on:

Access Denied

Access Denied. This is not what we (nor James) had expected, considering that we’d shared the item specifically. If at first you don’t succeed you may try to share the document again, only to find that James is listed as having access to the document:

Shared with James

So, why is this not working? It turns out that our site has the ‘SharePoint Publishing Infrastructure’ feature enabled, which is often the case even on Team Sites. However, enabling this feature in turn enables a second feature, named ‘Limited-access user permission lockdown mode’ or ‘ViewFormPagesLockdown’ which is the source of our access issues. As we can see from the feature description, this feature restricts access to Application Pages in the site:

Limited Access User Permission Lockdown Mode

This second feature is useful for publishing sites that have anonymous user access, but in our case we’ve a Team site that is only accessed internally so the concern is not quite as relevant. Disabling this feature will allow access to the specific item:

Access Granted

And we can see from the Document Library listing that James has access only to the specific document, which is our desired behavior:

Limited Access Document Library Listing

Changes from SharePoint 2010

What makes this particular scenario a little more interesting is that the behavior has changed from SharePoint 2010. As you can see from the following listing of site features, a SP2010 Team Site that has subsequently had the the ‘SharePoint Publishing Infrastructure’ feature enabled does not have the secondary ‘ViewFormPagesLockdown’ feature:

SP2010 Team Site With Publishing

Whereas a Team Site on SharePoint 2013 with the ‘SharePoint Publishing Infrastructure’ feature enabled does have an active ‘ViewFormPagesLockdown’ feature:

SP2013 Team Site With Publishing

Conclusion

Sharing a specific item is a useful (and often necessary) approach to collaboration on SharePoint 2013, but you may run into this particular scenario where the behavior you encounter is not what you’d expect, all due to the change in features activated by the ‘SharePoint Publishing Infrastructure’ feature. Additionally, this is another case where the default behavior has changed from SharePoint 2010 to SharePoint 2013, so file it away in the back of your mind with all the other little tidbits, gotchas and work-arounds that you must keep track of being a SharePoint Administrator.

Excited by
What You’ve Seen?

Get in Touch Now