SharePoint: Who can't you hide things from?


You just created a new subsite. You broke inheritance. You removed all of the inherited permissions. You gave only three people access.

Can anyone else see this site?


  • Your Site Collection Administrator.
  • People granted Web Application level "super user" permission policies by the server administrators. These roles are often called "Auditors" and "Super Administrators".
  • Server administrators who have granted themselves "super user" permissions.
  • Any administrator using the farm service account. (Never a best practice.)
  • Any one who your team members have "Shared" with!  (see below)
  • The SQL Database Administrator. (we never directly query the tables… right?)


Site Collection Administrators

When a new Site Collection is created the server administrator can assign people to two roles named Primary Owner and Secondary Owner. These two users can see and change everything in site collection, unless some permission has been denied by Web Application level user policies.

These two Site Collection Administrators can add as many other people to the list of Site Collection Administrators as they like. Only the Primary and Secondary will receive site alert emails, all of these admins have Full Control over everything in the Site Collection. For more interesting things about these extra admins, see: http://techtrainingnotes.blogspot.com/2012/12/fun-and-games-with-site-collection.html.


Web Application Level "Super User" Permission Policies

Server administrators can define Web Application level policies and broadly give or remove permissions. These policies overrule anything done at the Site Collection or subsite levels. Here's a few examples:

  • Remove the "Create Subsites" permission from all users.
  • Remove the "Manage Lists" permission from everyone in the Active Directory Sales Managers group.
  • Make a user an "Auditor" with rights to see everything in the entire Web Application. Yes, everything, including permissions and everything in the Site Settings page.
  • Make a user a "Super Administrator" with the ability to change anything in the Site Collection, and even run in "stealth mode" with all changes listed as "by System Account".


Team Member Sharing – Members are security admins???

In SharePoint 2013 Online, users given the "Edit" permission level can share the site or anything in any list or library in the site where they have that permission level. All they have to do is click one of the many "Share" buttons or links. This one should really scare you! All they have to do is click the Share at the top of the page, and they have shared the entire site without site owner approval. If they click Share on a document or list item, then they have broken inheritance on that item, and then shared it!  The same user in SharePoint on-premises is only creating an "access request". See how to hide the share buttons here: http://techtrainingnotes.blogspot.com/2015/08/hiding-evil-sharepoint-2013-share.html

A bit odd, while the user with the "Edit" permission can "share" a full site or a single list item, then cannot share a list or library. If they guess the URL to "Permissions for this document library" they get "access denied".

SharePoint Online/Office 365 vs. On Premises:

  On Premises Online
Member clicks the site level Share button Creates an "access request" – site owner needs to approve Adds new user to the Members group with usually has the Edit permission level
Member clicks the list or library item Share button Creates an "access request" – site owner needs to approve. If approved, breaks inheritance and adds permissions for the new user. Breaks inheritance and adds permissions for the new user.
Member guesses the URL to the People and Groups page… Can only see the list of users in the groups. Can remove users from groups!

So… Consider editing the "Edit" permission level and removing the "Manage Lists" permission!





No comments:

Note to spammers!

Spammers, don't waste your time... all posts are moderated. If your comment includes unrelated links, is advertising, or just pure spam, it will never be seen.