When is Full Control not Full Control


This article has three possible titles:

  • All Full Control Users are not able to see the Access Requests Link and Page
  • When is Full Control not Full Control?
  • All About Associated Groups!


The problem: You have a user who has Full Control, but who is not a member of the Site Owners group.

Shouldn't they be able to do anything a member of the Owners group can do? Turns out they cannot see the "Access Requests" link in Site Permissions page.

Members of the Site Owners group see:


While the Full Control only user sees:


(Just typing "Full Control only user" is weird!  "Only" has Full Control?)


So who can see the Access Requests Link?

Two groups of people:

  • Site Collection Administrators
  • Members of the site's associated Owners Group

Notice that "users with Full Control" is not in that list, and that the word "associated" is in there.


Three Magic Groups

You can create many "owners" groups and give them all Full Control and they still won't be able to see the Access Requests link. The magic owners group must be "associated" to a special property. The SharePoint web site (the SPWeb object) has three properties that identify the three default special groups: AssociatedMemberGroup, AssociatedOwnerGroup and AssociatedVisitorGroup. The group associated with the AssociatedOwnerGroup gets the "magic sauce" to let its users see the Access Requests link!

SharePoint 2007 had a nice option in the People and Groups page to set the associated groups:


To set the associated groups in SharePoint 2010, 2013 and Office 365 you will have to visit the page that's normally displayed when you create a new subsite with unique permissions; http://yourserver/sites/yoursite/_layouts/permsetup.aspx. This page has the title of "Set Up Groups for this Site". Here you can select from existing groups or create new groups and associate them to the three "magic groups".


An interesting side effect of the above page it when you add an owners group that does not have Full Control this page gives the group Full Control.


How to set the associated groups using PowerShell:

$web = Get-SPWeb "http://buckeyespug.maxsp2013.com";
$groups = $web.SiteGroups;
$group = $groups.GetByName("The New Owners Group");
$web.AssociatedOwnerGroup = $group;


A C# version:

SPSite site = new SPSite("http://buckeyespug.maxsp2013.com");
SPWeb web = site.RootWeb;
SPGroupCollection groups = web.SiteGroups;
SPGroup group = groups.GetByName("The New Owners Group");
web.AssociatedOwnerGroup = group;


And for non-Developers

Visit the http://yourserver/sites/yoursite/_layouts/permsetup.aspx page!


Another way?

According to this article you can also directly grant permissions to the Access Requests lists. (The list won't exist until you have your first access request created.)



Auto-create the default groups

If you want to create the three default groups automatically call the SPWeb.CreateDefaultAssociatedGroups method, or if you are not a developer just visit the http://yourserver/sites/yoursite/_layouts/permsetup.aspx page.


No comments:

Note to spammers!

Spammers, don't waste your time... all posts are moderated. If your comment includes unrelated links, is advertising, or just pure spam, it will never be seen.