Sometimes ago I created an AD security group, dropped a handful of users in it, and dropped that group in the visitors group of a particular team site and named it some meaningful, but let's call it "TheTeamSite" just for our convenience here. Everything worked fine and I forgot about it.
This morning I received an email from one of those users complaining that he could not browse to TheTeamSite! He was adamant that he was using the right credentials!
I browsed to TheTeamSite and used 'Site Actions -> Site Permissions ->
Check Permissions" (on the ribbon), typed in the username and clicked the "Check Now" button on the popup. To my surprise I got "Permission levels given to UserName: None.
The appropriate AD group was in the Site Visitors and the UserName was in that group. Everything was in good order but that message was completely out of whack. I expected to see something like: "Permissions levels given to UserName: Read via visitors group or something".
So I created a test user and dropped it in the same security group. Logged on as this new test user, and I could happily browse to TheTeamSite. This solved one problem, the user was using the wrong credentials (which was confirmed and resolved in due course).
However, the "None" permission level, which was now popping up for my new test user too, kept bugging me.
It was coffee time, no doubt. After the first sip of bitter coffee, it just occurred to me that SharePoint is protecting the Security of the Security Groups. If SharePoint was allowed to tell me that our user had Read permission via the Visitors group, then a malicious user can run a bunch of check permission on a bunch of users and eventually finds out who are the members of a given security group. That would have been bad.
BTW: "SharePoint 2010 protects the Security of the Security Groups" sounds cool, but it may be semantically wrong. It could be the AD and the Security Group that are denying the SharePoint of this privileged information. But this has to be looked in to at another occasion.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment